sign/encrypt assertions attributes not being honoured
sshabbir
sshabbir at bmj.com
Wed Aug 1 13:56:32 EDT 2018
Hello,
In trying to comply with our SP request to sign assertions, and not encrypt
them, I've added below to /relying-party.xml/
<bean parent="RelyingPartyByName"
c:relyingPartyIds="https://..../samlLogin">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO"
p:encryptAssertions="false" p:signAssertions="true"
p:encryptNameIDs="false"/>
However, the SAML response extract below suggests this does not seem to work
/<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://.../idp/shibboleth"
SPNameQualifier="https://.../samlLogin">
*AAdzZWNyZXQxhqCyvp0AoTAcLu2yR5BufFgIHiwkFNHRH18y0F7E73EhUzyoS2FrWS1fjRCHngAAQgAeQdnzI0XCt080OG72GaeXGJlywVBn6+Z2o/xw7jPVuqsYSmhOuMi1bUzUNHYrQ6GQn5/NAk6VrhlU4IVQgOIzpHvGdsHhbKVkG4mJBUiZd6UuVOYLqUnckY/pjz3QZCQh6CPrrxnAZ2QVQw==*
</saml2:NameID>/
They are also adamant that
/NameID Format must either be not provided, or
“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”, or
“urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified”/
Based on
https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration,
adding the attribute
p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
to the SAML2.SSO bean, under "RelyingPartyByName", results in a response
with no saml2:NameID entry.
In fact, I can only get that entry to appear by updating the
attribute-resolver entry as below
<AttributeDefinition xsi:type="Simple" id="UserName"
sourceAttributeID="userName">
<Dependency ref="scriptedAttributeConnector" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
encodeType="false" />
</AttributeDefinition>
Thanks in advance...
-----
Syed
--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
More information about the users
mailing list