sign/encrypt assertions attributes not being honoured

Andrew Morgan morgan at orst.edu
Wed Aug 1 14:17:57 EDT 2018 

On Wed, 1 Aug 2018, sshabbir wrote:

> Hello,
>
> In trying to comply with our SP request to sign assertions, and not encrypt
> them, I've added below to /relying-party.xml/
>
> <bean parent="RelyingPartyByName"
> c:relyingPartyIds="https://..../samlLogin">
>                        <property name="profileConfigurations">
>                        <list>
>                                <bean parent="SAML2.SSO"
> p:encryptAssertions="false" p:signAssertions="true"
> p:encryptNameIDs="false"/>
>
> However, the SAML response extract below suggests this does not seem to work
>
> /<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>                    NameQualifier="https://.../idp/shibboleth"
>                    SPNameQualifier="https://.../samlLogin">
> *AAdzZWNyZXQxhqCyvp0AoTAcLu2yR5BufFgIHiwkFNHRH18y0F7E73EhUzyoS2FrWS1fjRCHngAAQgAeQdnzI0XCt080OG72GaeXGJlywVBn6+Z2o/xw7jPVuqsYSmhOuMi1bUzUNHYrQ6GQn5/NAk6VrhlU4IVQgOIzpHvGdsHhbKVkG4mJBUiZd6UuVOYLqUnckY/pjz3QZCQh6CPrrxnAZ2QVQw==*
> </saml2:NameID>/

That is a correctly formatted transient NameID.  It is a base64-encoded 
hash that is generated by the IDP, unique to each SAML response.

BTW, the relying-party.xml configuration you provided above is correct to 
disable encryption and sign assertions.

> They are also adamant that 
>
> /NameID Format must either be not provided, or
> “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”, or
> “urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified”/
>
> Based on
> https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration, 
> adding the attribute
> p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> to the SAML2.SSO bean, under "RelyingPartyByName", results in a response
> with no saml2:NameID entry. 
>
> In fact, I can only get that entry to appear by updating the
> attribute-resolver entry as below
>
> <AttributeDefinition  xsi:type="Simple" id="UserName"
> sourceAttributeID="userName">
>        <Dependency ref="scriptedAttributeConnector" />
>        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42"
> nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> encodeType="false" />
>
>    </AttributeDefinition>

What value do they actually want in the NameID?  Your attributeDefinition 
suggests you want to put an unscoped username in the field.  If that is 
true, the format should not be "transient".

The documentation to generate a NameID is here:

   https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration

Read the "Format Selection" section carefully...

Let us know if you have additional questions.

Thanks,
 	Andy

More information about the users mailing list