SAML2 NameID in Subject

Vonblohn, Kyle kvonbloh at bloomu.edu
Tue Jul 18 15:17:10 EDT 2017


Yes, all 3 of their attributes are being released in the filter.

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Craig Pluchinsky
Sent: Tuesday, July 18, 2017 3:15 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: SAML2 NameID in Subject

Do you have an attribute filter set up to release that attribute to the adobe entityID?


-------------------------------
Craig Pluchinsky
IT Services
Indiana University of Pennsylvania
724-357-3327


On Tue, 18 Jul 2017, Vonblohn, Kyle wrote:

> Thanks Andy, but I've tried all of that.  Here are snippets of my files:
>
> relying-party.xml:
>
> <!-- ===== -->
> <!-- Adobe -->
> <!-- ===== -->
>
> <bean parent="RelyingPartyByName" c:relyingPartyIds="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.okta.com_saml2_service-2Dprovider_spienv8o80qZUv17G0x7&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=aI_2eTwHPutRE1LRg5PgFIZGUPmjnD6qHidYSOqi8Ic&s=cffZEE-GwBcOHq6_H9MI1793bfUu0p5GA-M94FhWiQE&e= ">
>    <property name="profileConfigurations">
>        <list>
>            <bean parent="SAML2.SSO" p:includeAttributeStatement="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:signAssertions="true" p:encryptAssertions="false" p:encryptNameIDs="false"/>
>            <bean parent="SAML2.Logout" p:signResponses="false"/>
>        </list>
>    </property>
> </bean>
>
> saml-nameid.xml:
>
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>     p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>     p:attributeSourceIds="#{ {'Email'} }">
>   <property name="activationCondition">
>       <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'https://urldefense.proofpoint.com/v2/url?u=https-3A__www.okta.com_saml2_service-2Dprovider_spienv8o80qZUv17G0x7&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=aI_2eTwHPutRE1LRg5PgFIZGUPmjnD6qHidYSOqi8Ic&s=cffZEE-GwBcOHq6_H9MI1793bfUu0p5GA-M94FhWiQE&e= '}}" />
>   </property>
> </bean>
>
> And attribute-resolver.xml
>
>    <!-- ===== -->
>    <!-- Adobe -->
>    <!-- ===== -->
>
>    <resolver:AttributeDefinitionid="FirstName"xsi:type="ad:Simple"sourceAttributeID="givenName">
>        <resolver:Dependencyref="BUAD"/>
>        <resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:givenName"/>
>        <resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:2.5.4.42"friendlyName="givenName"/>
>    </resolver:AttributeDefinition>
>    <resolver:AttributeDefinitionid="LastName"xsi:type="ad:Simple"sourceAttributeID="sn">
>        <resolver:Dependencyref="BUAD"/>
>        <resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:sn"/>
>        <resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:2.5.4.4"friendlyName="sn"/>
>    </resolver:AttributeDefinition>
>    <resolver:AttributeDefinitionid="Email"xsi:type="ad:Simple"sourceAttributeID="mail">
>        <resolver:Dependencyref="BUAD"/>
>        <resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:mail"/>
>        <resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:0.9.2342.19200300.100.1.3"friendlyName="mail"/>
>    </resolver:AttributeDefinition>
>
>
> I know I'm missing something, but for the life of me, I can't figure out what it is.  I've been working on this since last week, and have done multiple searches for information.
>
> This is the subject of my saml response:
>
>       <saml2:Subject>
>            <saml2:SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>                <saml2:SubjectConfirmationDataAddress="148.137.##.##">                                               InResponseTo="id448028774800135631139003950"
>                                               NotOnOrAfter="2017-07-18T18:53:58.618Z"
>                                               Recipient="https://urldefense.proofpoint.com/v2/url?u=https-3A__adbe-2Dbloomu-2Dd-2Dedu-2Db749-2Dprd.okta.com_auth_saml20_accauthlinktest&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=aI_2eTwHPutRE1LRg5PgFIZGUPmjnD6qHidYSOqi8Ic&s=s1LunYWfkNVCPIkYtV8Nj3JsqXYwZGzbg-FO2NydBXM&e= "
>                                               />
>            </saml2:SubjectConfirmation>
>        </saml2:Subject>
>
> As you can see, the NameID portion is completely missing.  I'm at a loss.
>
> Thanks,
> Kyle
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Andrew Morgan
> Sent: Tuesday, July 18, 2017 2:43 PM
> To: Shib Users <users at shibboleth.net>
> Subject: Re: SAML2 NameID in Subject
>
> On Tue, 18 Jul 2017, Vonblohn, Kyle wrote:
>
>> I am trying to setup adobe sso with IDPv3.  The documentation says
>> they need the NameID in the saml subject.  I can't seem to find any
>> documentation about where that is configured.  I've run a saml trace
>> in firefox and confirmed the entire NameID section is missing from the
>> subject.  If someone could point me in the right direction, I would be
>> appreciative.
>
> Kyle,
>
> Start with these:
>
>   https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_IDP30_NameIDGenerationConfiguration&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=Ltn_COR1mc84j2Q7WIEL7IjLgbOYHpMNPopjvsN2-J0&s=_nTXbQ2nT-KGBXss74W-ww9GsHNxMVWHvmuwu8EPY6E&e=
>
>   https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_IDP30_CustomNameIDGenerationConfiguration&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=Ltn_COR1mc84j2Q7WIEL7IjLgbOYHpMNPopjvsN2-J0&s=Q5YHgdRYrGkMxZx2MHjWHglmi1naVRAOx3eRm2yVt0o&e=
>
> Based on what I see with our Adobe integration, I think you'll need to support the "emailAddress" NameID Format.  We chose to release EPPN to SPs that request emailAddress.  In saml-nameid.xml, we have:
>
>   <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>       p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>       p:attributeSourceIds="#{ {'eduPersonPrincipalName'} }">
>       <property name="activationCondition">
>           <bean parent="shibboleth.Conditions.NOT">
>               <constructor-arg>
>                   <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com/a/oregonstate.edu" />
>               </constructor-arg>
>           </bean>
>       </property>
>   </bean>
>
> This example also shows how we exclude our Google instance from this particular generator.
>
> 	Andy
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list