nameID selection in v2 legacy mode

Andrew Morgan morgan at orst.edu
Mon Dec 28 17:01:23 EST 2015 

I'm trying to work around a problem that appeared when we upgraded from 
IDP v2.4 to v3.2.  Apparently, the upgrade broke our integration with 
Xfinity On Campus.  From their support:

"The issue is due to incompatible characters in the NameID format sent by 
IDP to OpenAM 10 (web player). The NameID is a random sequence generated 
during each request. Subsequent requests may not have the incompatible 
chars."

I noticed that the transientID format changed between IDP versions.  In 
v2.4 it looked like:

   _d310b69731ffed1a7d3e000f53a00159

and the new format looks like:

    AAhzZWNyZXQxMWYQJXf38p45OtFirFQEN74Fhf754tB9NtRUck3YwTTzhGdWwNYsreb+zE/LUXTCZeCU1lnAf5b9OGzTsumeTqE5tmqybm1vZnWtVh9YY71ApO1HmrbgHHoZ9D8VIIh2pBPMhj76g+WQvMGf

(base64 encoded, I think).

Anyways, I've been trying to force a different NameID value for their SP, 
but I always get some transientID.

I'm running the legacy NameID generators still because we haven't had time 
to switch to the new configuration yet.

I created a new attribute for the NameID:

     <!-- comcast NameID attribute -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="comcast-principal" sourceAttributeID="eduPersonPrincipalName">
         <resolver:Dependency ref="ONIDLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
     </resolver:AttributeDefinition>

and updated my filters to block transientID and release the NameID:

     <!-- release comcast prod campusHousing and principal attributes -->
     <AttributeFilterPolicy id="comcast_prod">
         <PolicyRequirementRule xsi:type="OR">
             <Rule xsi:type="Requester" value="https://university.ccp.xcal.tv:443/openam" />
             <Rule xsi:type="Requester" value="https://xocsp.ccp.xcal.tv:8443/openam" />
         </PolicyRequirementRule>
         <AttributeRule attributeID="transientId">
             <DenyValueRule xsi:type="ANY" />
         </AttributeRule>
         <AttributeRule attributeID="comcast-principal">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
         <AttributeRule attributeID="comcast_campushousing">
             <PermitValueRule xsi:type="OR">
                 <Rule xsi:type="Value" value="0" ignoreCase="true" />
                 <Rule xsi:type="Value" value="1" ignoreCase="true" />
             </PermitValueRule>
         </AttributeRule>
     </AttributeFilterPolicy>


I removed the "unspecified" NameIDFormat from their metadata and even set 
an override in relying-party.xml:

         <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'https://university.ccp.xcal.tv:443/openam', 'https://xocsp.ccp.xcal.tv:8443/openam'}}">
             <property name="profileConfigurations">
                 <list>
                     <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
                 </list>
             </property>
         </bean>

But I can't seem to get around the fact that their SAML request asks for 
transient:

     <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                         SPNameQualifier="https://xocsp.ccp.xcal.tv:8443/openam"
                         AllowCreate="true"
                         />

Here is what is logged when a request comes through:

2015-12-28 13:55:20,738 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessRequestedAuthnContext:158] - Profile Action ProcessRequestedAuthnContext: Ignoring AuthnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
2015-12-28 13:55:21,544 - INFO [Shibboleth-Audit.SSO:241] - 20151228T215521Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|s21fce04aa49a8d477a73b49351401957a3654dfd4|https://xocsp.ccp.xcal.tv:8443/openam|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://login.oregonstate.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_bbdece61edef9ee9382b0dd07b62b7dd|morgana|urn:oasis:names:tc:SAML:2.0:ac:classes:Password|commonName,eduPersonPrimaryAffiliation,eduPersonScopedAffiliation,eduPersonAffiliation,eduPersonTargetedID,surname,comcast_campushousing,givenName,eduPersonPrincipalName,comcast-principal|AAhzZWNyZXQxMpj2MlgA1D033vFSkhbHVF2PELKJDMzvgLDU/2aC02TeqXNG6keRV1z55p0usSsxhw4Ef55DVWKgDOuzpNBwlCaY/7r0aqcQ1wuVqsHXShu9PIiR+qPNbKpZYADIscbjEgXutJc/mAT+YFE9|_1bb7a0251119b89ac4b1eeeaaf5676fe|


Am I stuck until they fix their SP?  Thoughts?

Thanks,
 	Andy

More information about the users mailing list