SAML2 NameID in Subject
Vonblohn, Kyle
kvonbloh at bloomu.edu
Tue Jul 18 15:17:10 EDT 2017
Yes, all 3 of their attributes are being released in the filter.
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Craig Pluchinsky
Sent: Tuesday, July 18, 2017 3:15 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: SAML2 NameID in Subject
Do you have an attribute filter set up to release that attribute to the adobe entityID?
-------------------------------
Craig Pluchinsky
IT Services
Indiana University of Pennsylvania
724-357-3327
On Tue, 18 Jul 2017, Vonblohn, Kyle wrote:
> Thanks Andy, but I've tried all of that. Here are snippets of my files:
>
> relying-party.xml:
>
> <!-- ===== -->
> <!-- Adobe -->
> <!-- ===== -->
>
> <bean parent="RelyingPartyByName" c:relyingPartyIds="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.okta.com_saml2_service-2Dprovider_spienv8o80qZUv17G0x7&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=aI_2eTwHPutRE1LRg5PgFIZGUPmjnD6qHidYSOqi8Ic&s=cffZEE-GwBcOHq6_H9MI1793bfUu0p5GA-M94FhWiQE&e= ">
> <property name="profileConfigurations">
> <list>
> <bean parent="SAML2.SSO" p:includeAttributeStatement="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:signAssertions="true" p:encryptAssertions="false" p:encryptNameIDs="false"/>
> <bean parent="SAML2.Logout" p:signResponses="false"/>
> </list>
> </property>
> </bean>
>
> saml-nameid.xml:
>
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> p:attributeSourceIds="#{ {'Email'} }">
> <property name="activationCondition">
> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'https://urldefense.proofpoint.com/v2/url?u=https-3A__www.okta.com_saml2_service-2Dprovider_spienv8o80qZUv17G0x7&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=aI_2eTwHPutRE1LRg5PgFIZGUPmjnD6qHidYSOqi8Ic&s=cffZEE-GwBcOHq6_H9MI1793bfUu0p5GA-M94FhWiQE&e= '}}" />
> </property>
> </bean>
>
> And attribute-resolver.xml
>
> <!-- ===== -->
> <!-- Adobe -->
> <!-- ===== -->
>
> <resolver:AttributeDefinitionid="FirstName"xsi:type="ad:Simple"sourceAttributeID="givenName">
> <resolver:Dependencyref="BUAD"/>
> <resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:givenName"/>
> <resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:2.5.4.42"friendlyName="givenName"/>
> </resolver:AttributeDefinition>
> <resolver:AttributeDefinitionid="LastName"xsi:type="ad:Simple"sourceAttributeID="sn">
> <resolver:Dependencyref="BUAD"/>
> <resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:sn"/>
> <resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:2.5.4.4"friendlyName="sn"/>
> </resolver:AttributeDefinition>
> <resolver:AttributeDefinitionid="Email"xsi:type="ad:Simple"sourceAttributeID="mail">
> <resolver:Dependencyref="BUAD"/>
> <resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:mail"/>
> <resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:0.9.2342.19200300.100.1.3"friendlyName="mail"/>
> </resolver:AttributeDefinition>
>
>
> I know I'm missing something, but for the life of me, I can't figure out what it is. I've been working on this since last week, and have done multiple searches for information.
>
> This is the subject of my saml response:
>
> <saml2:Subject>
> <saml2:SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationDataAddress="148.137.##.##"> InResponseTo="id448028774800135631139003950"
> NotOnOrAfter="2017-07-18T18:53:58.618Z"
> Recipient="https://urldefense.proofpoint.com/v2/url?u=https-3A__adbe-2Dbloomu-2Dd-2Dedu-2Db749-2Dprd.okta.com_auth_saml20_accauthlinktest&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=aI_2eTwHPutRE1LRg5PgFIZGUPmjnD6qHidYSOqi8Ic&s=s1LunYWfkNVCPIkYtV8Nj3JsqXYwZGzbg-FO2NydBXM&e= "
> />
> </saml2:SubjectConfirmation>
> </saml2:Subject>
>
> As you can see, the NameID portion is completely missing. I'm at a loss.
>
> Thanks,
> Kyle
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Andrew Morgan
> Sent: Tuesday, July 18, 2017 2:43 PM
> To: Shib Users <users at shibboleth.net>
> Subject: Re: SAML2 NameID in Subject
>
> On Tue, 18 Jul 2017, Vonblohn, Kyle wrote:
>
>> I am trying to setup adobe sso with IDPv3. The documentation says
>> they need the NameID in the saml subject. I can't seem to find any
>> documentation about where that is configured. I've run a saml trace
>> in firefox and confirmed the entire NameID section is missing from the
>> subject. If someone could point me in the right direction, I would be
>> appreciative.
>
> Kyle,
>
> Start with these:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_IDP30_NameIDGenerationConfiguration&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=Ltn_COR1mc84j2Q7WIEL7IjLgbOYHpMNPopjvsN2-J0&s=_nTXbQ2nT-KGBXss74W-ww9GsHNxMVWHvmuwu8EPY6E&e=
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_IDP30_CustomNameIDGenerationConfiguration&d=DwICAg&c=HS1CjnFyfzCL6mp0nkGYYw&r=ZgELPkjogmqCnk2rHf8e-cNQsyTdR1whj_eOZqt-EEs&m=Ltn_COR1mc84j2Q7WIEL7IjLgbOYHpMNPopjvsN2-J0&s=Q5YHgdRYrGkMxZx2MHjWHglmi1naVRAOx3eRm2yVt0o&e=
>
> Based on what I see with our Adobe integration, I think you'll need to support the "emailAddress" NameID Format. We chose to release EPPN to SPs that request emailAddress. In saml-nameid.xml, we have:
>
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> p:attributeSourceIds="#{ {'eduPersonPrincipalName'} }">
> <property name="activationCondition">
> <bean parent="shibboleth.Conditions.NOT">
> <constructor-arg>
> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com/a/oregonstate.edu" />
> </constructor-arg>
> </bean>
> </property>
> </bean>
>
> This example also shows how we exclude our Google instance from this particular generator.
>
> Andy
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list