Multiple Name ID's in IdP 2.x for Google Apps

Leung, Warren wleung at it.ucla.edu
Mon Aug 24 17:06:08 EDT 2015 

Hi,

We planning on upgrading to IdP 3.x early next year!  However we are in
the process of upgrading our 2.x instance and have a QA setup with the
latest version with some other internal enchantments. We are trying to
connect our Google Apps test instance with our QA instance, but it seems
like the IdP is releasing transientId (we release transientId for all)
over principal.  Configurations are the same (except for entityID¹s and
ACS URLS).  It is functioning correctly in our older 2.x production
instance as well.  Below are the IdP logs

13:45:33.336 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
:717] - [iam-shb-q02-0daa1afd-4aa1-11e5] Selecting the first attribute
that can be encoded in to a name identifier
13:45:33.336 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
:501] - [iam-shb-q02-0daa1afd-4aa1-11e5] Name identifier for relying party
'google.com' will be built from attribute 'transientId'
13:45:33.336 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2Profile
Handler:868] - [iam-shb-q02-0daa1afd-4aa1-11e5] Using attribute
'transientId' supporting NameID format
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID
for relying party 'google.com'


I¹ve read the documentation at
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPNameIdentifier.
Below is our Google metadata and attribute resolver for principal

<EntityDescriptor entityID="google.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
	<SPSSODescriptor 
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Name
IDFormat>
		<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST²	
			Location="https://www.google.com/a/hostname.ucla.edu/acs" />
	</SPSSODescriptor>
</EntityDescriptor>

<resolver:AttributeDefinition id="principal" xsi:type="PrincipalName"
xmlns="urn:mace:shibboleth:2.0:resolver:ad">
	<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
		nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    </resolver:AttributeDefinition>


I thought that the filtering would occur with the SP metadata thus using
the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.  Am I missing
another configuration somewhere?  I can get it to work when I add a
DenyValueRule in the attribute filter for Google Apps.

Thanks

Warren

More information about the users mailing list