Adding a SubjectConfirmation for an AttributeQuery

Juhani Gurney juhani at eduix.fi
Mon Nov 26 08:36:15 EST 2012 

Hi All,

After a successful SSO event we need to connect to another source to retrieve additional attributes for a user with an AttributeQuery. We are trying to use the SimpleAggregation AttributeResolver but so far haven't been able to configure it to create a query accepted by the Attribute Authority.

In the technical documentation for the service (Attribute Authority) there is an example of the message that should be generated:

<SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/">

<SOAP-ENV:Header/>
<SOAP-ENV:Body>

<samlp:AttributeQuery xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://..../AttributeService" ID="_1202b3485dbf5fee270c62504d6e055f246de2e3" IssueInstant="2007-11- 29T13:44:25.816Z" Version="2.0">

<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid- format:entity">https://..../sp</saml:Issuer>

<ds:Signature>
…
</ds:Signature>

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">example_userid</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/> 
</saml:Subject>

<saml:Attribute Name="query">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">roles-by-userid</saml:AttributeValue>
</saml:Attribute>

<saml:Attribute Name="userid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> example_userid</saml:AttributeValue>
</saml:Attribute>

</samlp:AttributeQuery>

</SOAP-ENV:Body>
</SOAP-ENV:Envelope>


My shibboleth2.xml looks like this for the SimpleAggregation:

<AttributeResolver type="SimpleAggregation">
<Entity>https://....</Entity>
<saml:Attribute Name="query">
 <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">roles-by-userid</saml:AttributeValue>
</saml:Attribute>
<MetadataProvider type="XML" file="query-metadata.xml"/>
</AttributeResolver>

Which produces a message like (skipping most of the xml to the interesting part):

<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://...." SPNameQualifier="https://...">THE-CORRECT-USERID-FROM-THE-SSO-SESSION</saml:NameID>
</saml:Subject>

<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="query">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">roles-by-userid</saml:AttributeValue>
</saml:Attribute>

According to the admins of the service the error is related to the missing SubjectConfirmation element. So my first question is, how do I configure Shib to add...
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/> 
… to the message?

Also, as you can see from the example, the service also expects us to send the userid as an attribute (I don't quite understand why as it is in the NameID). Is there a way of doing that?

We are using Shibboleth SP  2.4.3


Thanks for any advice!

-- 
Juhani Gurney
CTO

+358 40 7624785
juhani.gurney at eduix.fi

Eduix Ltd
Hämeenkatu 26
33200 Tampere
Finland
http://www.eduix.fi

More information about the users mailing list