NameID Attribute in SAML Response

Michael Dahlberg olgamirth at gmail.com
Tue Aug 18 09:09:15 EDT 2015 

An SP that I’m working with has asked that we provide the NameID (attribute  … not  sure if NameID can be called an attribute) within the Subject of a SAML response, like so:

<samlp:Response ID="_18779159-49ac-4117-9375-d4cdebe27dd9" InResponseTo="_1379467c-4b48-4f77-8459-9c405d6e8330" Version="2.0" IssueInstant="2015-08-14T08:02:34.377Z" Destination="https://admin.pageuppeople.local//gateway/SAML.aspx?binding=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-POST" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://slipstream.queen.pageup.com.au/adfs/services/trust</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_18779159-49ac-4117-9375-d4cdebe27dd9"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>5YZDmHrRWvWXKv3IcwqgvVg5Pgk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue><!-- Sig --></ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate><!--Cert --></ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_6845f6fc-75c8-4b15-a6c3-ba7db4239a03" IssueInstant="2015-08-14T08:02:34.377Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer>http://slipstream.queen.pageup.com.au/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_6845f6fc-75c8-4b15-a6c3-ba7db4239a03"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>b5JwJcr6TmSvtzmXxHCFfXHma4M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue><!-- Sig --></ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate><!-- Cert --></ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID>stepheno</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_1379467c-4b48-4f77-8459-9c405d6e8330" NotOnOrAfter="2015-08-14T08:07:34.377Z" Recipient="https://admin.pageuppeople.local//gateway/SAML.aspx?binding=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-POST" /></SubjectConfirmation></Subject><Conditions NotBefore="2015-08-14T08:02:34.377Z" NotOnOrAfter="2015-08-14T09:02:34.377Z"><AudienceRestriction><Audience>https://admin.pageuppeople.local/</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2015-08-14T08:02:17.696Z" SessionIndex="_6845f6fc-75c8-4b15-a6c3-ba7db4239a03"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

I’m not quite sure how to do this; most attributes that I release are within the “message” part of the SAML response.  I’ve tried looking in the wiki but I must be looking in the wrong area.  Can you point me to the correct location in the wiki or provide an example?

Thanks,
Mike

-- 
Michael Dahlberg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150818/052f0dd1/attachment.html>

More information about the users mailing list