IdP 2.4 and Okta/Adobe.com SSO

Andrew Morgan morgan at orst.edu
Mon Aug 31 13:16:40 EDT 2015 

On Sat, 29 Aug 2015, Kathy E. Wright wrote:

> I am trying to integrate our Shibboleth IdP 2.4 with Okta's SAML dashboard
> for Adobe.com. We can release eppn to them as a NameID but only in
> transient or persistent format.  Adobe says the NameID needs to be
> "unspecified" and I haven't been able to get that working. Does anyone have
> a solution?

Kathy,

Here is my IDP v2.4 configuration for Adobe/Okta:

attribute-filter.xml:

     <!-- Adobe attributes -->
     <afp:AttributeFilterPolicy id="adobe">
         <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://www.okta.com/saml2/service-provider/spi1fhbo6hBnuyO5O0x7" />
         <afp:AttributeRule attributeID="transientId">
             <afp:DenyValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
         <afp:AttributeRule attributeID="adobe-principal">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
         <afp:AttributeRule attributeID="adobe_firstname">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
         <afp:AttributeRule attributeID="adobe_lastname">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
         <afp:AttributeRule attributeID="adobe_email">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
     </afp:AttributeFilterPolicy>

attribute-resolver.xml:

     <!-- Adobe NameID attribute -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe-principal" sourceAttributeID="eduPersonPrincipalName">
         <resolver:Dependency ref="ONIDLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
     </resolver:AttributeDefinition>

     <!-- Adobe attributes -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe_firstname" sourceAttributeID="givenName">
         <resolver:Dependency ref="ONIDLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="FirstName" />
     </resolver:AttributeDefinition>

     <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe_lastname" sourceAttributeID="sn">
         <resolver:Dependency ref="ONIDLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="LastName" />
     </resolver:AttributeDefinition>

     <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe_email" sourceAttributeID="eduPersonPrincipalName">
         <resolver:Dependency ref="ONIDLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="Email" />
     </resolver:AttributeDefinition>


This configuration turns the EPPN into a Persistent NameID.  In the SAML 
dashboard, we chose "Email Address" as the identifier and created users in 
Adobe using the EPPN value.  The filter blocks the release of transientId, 
so that the adobe-principal is released instead.

Let me know if you have any questions.  I set this up just a week ago.

 	Andy

More information about the users mailing list