where is transientId in SAML assertion
David Bantz
dabantz at alaska.edu
Wed Sep 24 17:53:35 EDT 2014
So the transientId is in the NameID in Subject of the SAML assertion in the example I previously sent.
Thanks Chris.
A different vendor is unable to properly interpret the SAML assertion from my IdP,
and I haven’t been able to fathom why not, but notice that despite parallel
debug log entries that transientId will be used to construct NameID, a corresponding
NameID is not in the Subject. Instead there’s an EncryptedID.
[We know I’m sending the required attributes to the right end point at the vendor SP, but
alas, the vendor’s support staff have no access to any logs on their side of the transaction,
and they have no example of a SAML assertion that works with their SP,
so I’m floundering on what might be wrong and I might need to change. The vendor
is Blackboard Transact and eAccounts.]
10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute transientId which may be encoded as a name identifier of format urn:mace:shibboleth:1.0:nameIdentifier
10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute oktanameid which may be encoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:690]
- Selecting attribute to be encoded as a name identifier by encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:717]
- Selecting the first attribute that can be encoded in to a name identifier
10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501]
- Name identifier for relying party 'https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt' will be built from attribute 'transientId'
10:13:00.501 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868]
- Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'https://sp...
10:13:00.501 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:733]
- Attempting to encrypt NameID to relying party 'https://sp...'
10:13:00.518 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:279]
- Assertion to be encrypted is:
<?xml version="1.0" encoding="UTF-8”?>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8af127d6c08c145ea4d685a6d7b15935" IssueInstant="2014-09-24T18:13:00.497Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:incommon:alaska.edu</saml2:Issuer>
<saml2:Subject>
<saml2:EncryptedID>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_534e2d085ea251250b2c002dd8145e0c" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="_b20ce7ab579b8187fbb9317730046e00" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>…………</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>…………</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedID>
…
</saml2:Subject>
the audit log affirms that transientId was sent:
20140924T181300Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_A5769940A111B3384C7CB42D7DD85A86|https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt|urn:mace:shibboleth:2.0:profiles:saml2:sso|urn:mace:incommon:alaska.edu|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_102ff00baad293c853ccee7284f68bf6|djdewolfe|urn:oasis:names:tc:SAML:2.0:ac:classes:Password|BbTLastName,transientId,BbTFirstName,BbTemail,BbTusername,BbTbannerID,oktanameid,|_bb39377c01d1057a84575052456c6a20||
On Mon, 22 Sep 2014, at 14:04 , Christopher Bongaarts <cab at umn.edu> wrote:
> Yes (the value is "_59dd...0492".)
>
> On 9/22/2014 5:02 PM, David Bantz wrote:
>> Elementary question:
>> where, in the IdP’s SAML assertion, is the transientId <https://wiki.shibboleth.net/confluence/display/SHIB2/IdPTransientNameIdentifier> ("released to anyone” as recommended)?
>>
>> Is it the ID in the assertion... NameID in the Subject portion ?
>>
>> from process log:
>>
>> 11:40:34.099 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
>> - Retaining attribute transientId which may be encoded as a name identifier of format urn:mace:shibboleth:1.0:nameIdentifier
>> 11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
>> - Retaining attribute oktanameid which may be encoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>> 11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:690]
>> - Selecting attribute to be encoded as a name identifier by encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
>> 11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:717]
>> - Selecting the first attribute that can be encoded in to a name identifier
>> 11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501]
>> - Name identifier for relying party 'https://••••' will be built from attribute 'transientId'
>> 11:40:34.101 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868]
>> - Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'https://••••••'
>>
>> SAML assertion fragments:
>>
>> <?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://••••" ID="_5a83f3c5e2d3e9f6eb30a6fbcc98f1cc" IssueInstant="2014-09-22T21:39:45.977Z" Version="2.0”>…
>>
>> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ade790abe4f75d0b979b039ce18912ea" IssueInstant="2014-09-22T21:39:45.977Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema”>...
>>
>> <saml2:Subject>
>> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="urn:mace:incommon:alaska.edu" SPNameQualifier="urn:amazon:webservices">_59ddcabea831dd654d8a75364ac70492</saml2:NameID>...
>>
>>
>
> --
> %% Christopher A. Bongaarts %% cab at umn.edu %%
> %% OIT - Identity Management %% http://umn.edu/~cab %%
> %% University of Minnesota %% +1 (612) 625-1809 %%
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140924/19f23fb2/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://shibboleth.net/pipermail/users/attachments/20140924/19f23fb2/attachment-0001.bin
More information about the users
mailing list