Attribute Resolver Migrating to IDP30 and generatin persistent NameId using PrincipalName
Cantor, Scott
cantor.2 at osu.edu
Mon May 11 21:29:15 EDT 2015
On 5/12/15, 1:07 AM, "Katia" <katia_muser at yahoo.com> wrote:
>I've went through the post from 2 weeks ago from Sara (IdPv3 and
>generating
>persistent NameID) and the subsequent responses and I followed the steps
>detailed in the documentation to support PersistentId NameId
>
>Content of
>saml-nameid.properties
>
>idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
>idp.persistentId.sourceAttribute = persistentNameIdSourceUid
>idp.persistentId.salt = XXXXXXX
If that's the real salt, you've just compromised the opacity of all those
IDs. That's like divulging a private key.
>However my attribute_resolver configuration that worked in V2 is now
>failing
>
> <resolver:AttributeDefinition id="persistentNameIdSourceUid"
>xsi:type="ad:PrincipalName">
> <resolver:AttributeEncoder
>xsi:type="enc:SAML1StringNameIdentifier"
>nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
>nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
> </resolver:AttributeDefinition>
That's putting the user's principal name into a SAML NameID with a format
specifically designed for use with opaque pairwise IDs in the SAMl 2 case,
and the transient format in the case of SAML 1. That's not correct. It
"works", but it's wrong. Those encoders should not be there, or at the
least they should have different formats.
Also, it's a bad idea to generate persistent IDs using a username as a
seed, unless that username is opaque/numeric/whatever. Otherwise it's not
stable.
>In IDP30 I get this error using the same provider
>
>WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] -
>Profile Action AddNameIDToSubjects: Request specified use of an
>unsupportable identifier format:
>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
>
>Let me know if you need more details.
I guess, yes. My best guess is maybe the persistentNameIdSourceUid
attribute is not being released.
You also might not have uncommented the
shibboleth.SAML2PersistentGenerator bean in
saml-nameid.xml, which the documentation includes as a step. Though given
the rest of that, I think if the attribute were released it would be
working because of the legacy use of the resolver and the
SAML2StringNameID encoder, and you'd get a persistent NameID with the
username in it.
-- Scott
More information about the users
mailing list