Problem passing attribute once upgrading to version 3

McKean, Brandon Scott - mckeanbs mckeanbs at jmu.edu
Thu Jul 16 11:04:52 EDT 2015


I didn't make any changes to saml-nameid.properties. Going off of
memory I think what I had to change was attribute-filter.xml, as
follows:
<resolver:AttributeDefinition id="givenNameArcGIS"
xsi:type="ad:Template">
        <resolver:Dependency ref="givenName" />
 
       <resolver:Dependency ref="sn" />
       
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:givenName" />
       
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:2.5.4.42" friendlyName="givenName" />
       
<ad:Template>
          <![CDATA[
               ${givenName} ${sn}
      
    ]]>
        </ad:Template>
       
<ad:SourceAttribute>givenName</ad:SourceAttribute>
       
<ad:SourceAttribute>sn</ad:SourceAttribute>
   
</resolver:AttributeDefinition>


My attribute resolver looks like this:
 
<resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" sourceAttributeID="mail">
        <resolver:Dependency ref="jmuad" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
    </resolver:AttributeDefinition>
 
<resolver:AttributeDefinition xsi:type="ad:Simple" id="cn" sourceAttributeID="cn">
            <resolver:Dependency ref="jmuad" />
                    <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:cn" />
                            <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
                                </resolver:AttributeDefinition>
 
    <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
            <resolver:Dependency ref="jmuad" />
                    <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" />
                            <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
                                </resolver:AttributeDefinition>
 
    <resolver:AttributeDefinition xsi:type="ad:Simple" id="sn" sourceAttributeID="sn">
            <resolver:Dependency ref="jmuad" />
                    <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" />
                            <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
                                </resolver:AttributeDefinition>
Hope this helps, sorry I forgot about the custom bit in attribute
-filter.xml. But this is how I did it for ArcGIS, as they needed
givenName to be first and last name separated by a space, so you can
see I had to get 2 atributes and combine them to make that work.
Brandon
On Thu, 2015-07-16 at 10:57 -0400, Todd Vernick wrote:
> Did you make any changes to saml-nameid.properties?
> Also what did you use for your attribute-resolver.xml?
> I took the default uid instance from attribute-resolver-full.xml
> 
> On Wed, Jul 15, 2015 at 4:35 PM, McKean, Brandon Scott - mckeanbs <
> mckeanbs at jmu.edu> wrote:
> > Hi Todd,
> > 
> > Sorry it's giving you trouble. :(
> > 
> > For clarity you wouldn't be able to straight copy what I gave. In
> > your case saml-nameid.xml would probably need to be more like:
> > 
> > <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> >             p:format="urn:oasis:names:tc:SAML:1.1:nameid
> > -format:emailAddress"
> >             p:attributeSourceIds="uid" />
> > 
> > Then in relying-party.xml right next to
> > "p:encryptAssertions="false" in that section:
> > 
> > p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid
> > -format:emailAddress"
> > 
> > Hope that makes sense, but let me know if that's how you did it
> > already.
> > 
> > Thanks,
> > 
> > 
> > -- 
> > Brandon McKean
> > IT / Systems
> > Linux Administrator 
> > (540)568-4235     
> > 
> > On Wed, 2015-07-15 at 16:17 -0400, Todd Vernick wrote:
> > > Hi Brandon,
> > > I just added what you specified but still don't see the 1.1
> > > values :(
> > > 
> > > On Wed, Jul 15, 2015 at 4:06 PM, McKean, Brandon Scott - mckeanbs
> > > <mckeanbs at jmu.edu> wrote:
> > > > Hi Todd,
> > > > 
> > > > I had to mess with something very similar for configuring
> > > > ArcGIS. Here's what I had to do for this:
> > > > 
> > > > Here's what I did in saml-nameid.xml:
> > > > 
> > > > <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> > > >             p:format="urn:oasis:names:tc:SAML:1.1:nameid
> > > > -format:eid"
> > > >             p:attributeSourceIds="cn" />
> > > > 
> > > > The eid part is arbitrary, you just need to keep it consistent
> > > > across the config You can have it be emailaddress too.
> > > > 
> > > > Then, in relying-party.xml:
> > > > 
> > > > 
> > > > c:relyingPartyIds="JMU.maps.arcgis.com">
> > > >             <property name="profileConfigurations">
> > > >                 <list>
> > > >                     
> > > > p:encryptAssertions="false"
> > > > p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid
> > > > -format:eid"/>
> > > > 	> > > > 	> > > > 
> > > >             </property>
> > > >         </bean>        
> > > >         
> > > > 
> > > > 
> > > > Hope this snippet helps.
> > > > 
> > > >  
> > > > 
> > > > -- 
> > > > Brandon McKean
> > > > IT / Systems
> > > > Linux Administrator 
> > > > (540)568-4235       
> > > > 
> > > > On Wed, 2015-07-15 at 15:54 -0400, Todd Vernick wrote:
> > > > > My SP requires the assertion:
> > > > > nameFormat="urn:oasis:names:tc:SAML:1.1:nameid
> > > > > -format:unspecified
> > > > > or
> > > > > nameFormat="urn:oasis:names:tc:SAML:1.1:nameid
> > > > > -format:emailAddress
> > > > > 
> > > > > I used the following config to pass uid to pass this in
> > > > > shibboleth version 2
> > > > > 
> > > > > attribute_resolver.xml
> > > > >     
> > > > > id="uid" sourceAttributeID="uid">
> > > > >         <resolver:Dependency ref="myLDAP" />
> > > > >         
> > > > > xsi:type="enc:SAML1StringNameIdentifier"
> > > > > nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
> > > > >         
> > > > > name="urn:mace:dir:attribute-def:uid" />
> > > > >         
> > > > > xsi:type="enc:SAML2StringNameID"
> > > > > nameFormat="urn:oasis:names:tc:SAML:1.1:nameid
> > > > > -format:unspecified"/>
> > > > >     
> > > > > xsi:type="enc:SAML2StringNameID"
> > > > > nameFormat="urn:oasis:names:tc:SAML:2.0:nameid
> > > > > -format:transient"/>
> > > > >     </resolver:AttributeDefinition>
> > > > > 
> > > > > relying_party.xml
> > > > >         <rp:RelyingParty
> > > > >                 id="
> > > > > http://fs.ultiproworkplace.com/adfs/services/trust"
> > > > >                 provider="
> > > > > https://idp.squarespace.net/idp/shibboleth"
> > > > >                
> > > > > defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:c
> > > > > lasses:unspecified"
> > > > >         defaultSigningCredentialRef="IdPCredential">
> > > > > <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
> > > > >         includeAttributeStatement="true"
> > > > >         assertionLifetime="300000"
> > > > >         assertionProxyCount="0"
> > > > >         signResponses="conditional"
> > > > >         signAssertions="never"
> > > > >         signRequests="conditional"
> > > > >         encryptAssertions="never"
> > > > >         encryptNameIds="never"
> > > > > />
> > > > >         </rp:RelyingParty>
> > > > > 
> > > > > 
> > > > > Version 3 carried over a different relying_party config
> > > > >         
> > > > > http://fs.ultiproworkplace.com/adfs/services/trust">;
> > > > >             <property name="profileConfigurations">
> > > > >                 <list>
> > > > >                     
> > > > > p:encryptAssertions="false" />
> > > > >                 </list>
> > > > >             </property>
> > > > >         </bean>
> > > > > 
> > > > > And I used the same attribute_resolver config for version 3.
> > > > > When decoding the saml response, it's not showing a
> > > > > 1.1:nameid-format anymore, only 2.0 formats.
> > > > > -- 
> > > > > To unsubscribe from this list send an email to 
> > > > > users-unsubscribe at shibboleth.net
> > > > --
> > > > To unsubscribe from this list send an email to 
> > > > users-unsubscribe at shibboleth.net
> > > -- 
> > > To unsubscribe from this list send an email to 
> > > users-unsubscribe at shibboleth.net
> > --
> > To unsubscribe from this list send an email to 
> > users-unsubscribe at shibboleth.net
> -- 
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150716/f16bec22/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5673 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150716/f16bec22/attachment-0001.bin>


More information about the users mailing list