IdP 2.4 and Okta/Adobe.com SSO
Kathy E. Wright
kewrig at clemson.edu
Mon Aug 31 14:21:10 EDT 2015
Andy,
Thank you very much. Adobe has insisted that the NameID format be
"uspecified." I see yours is persistent:
<resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe-principal"
sourceAttributeID="eduPersonPrincipalName">
<resolver:Dependency ref="ONIDLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
</resolver:AttributeDefinition>
On Mon, Aug 31, 2015 at 1:16 PM, Andrew Morgan <morgan at orst.edu> wrote:
> On Sat, 29 Aug 2015, Kathy E. Wright wrote:
>
> I am trying to integrate our Shibboleth IdP 2.4 with Okta's SAML dashboard
>> for Adobe.com. We can release eppn to them as a NameID but only in
>> transient or persistent format. Adobe says the NameID needs to be
>> "unspecified" and I haven't been able to get that working. Does anyone
>> have
>> a solution?
>>
>
> Kathy,
>
> Here is my IDP v2.4 configuration for Adobe/Okta:
>
> attribute-filter.xml:
>
> <!-- Adobe attributes -->
> <afp:AttributeFilterPolicy id="adobe">
> <afp:PolicyRequirementRule
> xsi:type="basic:AttributeRequesterString" value="
> https://www.okta.com/saml2/service-provider/spi1fhbo6hBnuyO5O0x7" />
> <afp:AttributeRule attributeID="transientId">
> <afp:DenyValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="adobe-principal">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="adobe_firstname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="adobe_lastname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="adobe_email">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
> attribute-resolver.xml:
>
> <!-- Adobe NameID attribute -->
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="adobe-principal" sourceAttributeID="eduPersonPrincipalName">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
> </resolver:AttributeDefinition>
>
> <!-- Adobe attributes -->
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="adobe_firstname" sourceAttributeID="givenName">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="FirstName" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe_lastname"
> sourceAttributeID="sn">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="LastName" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe_email"
> sourceAttributeID="eduPersonPrincipalName">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="Email"
> />
> </resolver:AttributeDefinition>
>
>
> This configuration turns the EPPN into a Persistent NameID. In the SAML
> dashboard, we chose "Email Address" as the identifier and created users in
> Adobe using the EPPN value. The filter blocks the release of transientId,
> so that the adobe-principal is released instead.
>
> Let me know if you have any questions. I set this up just a week ago.
>
> Andy
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Infrastructure & Ops
Clemson University
CCIT, 340 Computer Court
Anderson, SC 29625
kewrig at clemson.edu
(864) 656-8133
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150831/6a62a681/attachment.html>
More information about the users
mailing list