sign/encrypt assertions attributes not being honoured
Nate Klingenstein
ndk at sudonym.me
Wed Aug 1 14:18:42 EDT 2018
Syed,
In order for a NameID to be released, you need to have the attribute
available(which it probably is), it needs to be a candidate for a NameID
for this relying party(which it probably isn't), and it needs to be the one
that is chosen in any given transaction.
https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration
In this case, you're adding a nameFormat to an attribute. They're looking
for a NameID, which is totally different. You'll want to revert to the
default URI nameFormat for the attribute.
https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers
Also remember that relying-party.xml operates on a first-match, first-serve
basis. You might have an entry without an activationCondition further up
in your file that is superceding other configuration.
Take care,
Nate.
On Wed, Aug 1, 2018 at 10:56 AM, sshabbir <sshabbir at bmj.com> wrote:
> Hello,
>
> In trying to comply with our SP request to sign assertions, and not encrypt
> them, I've added below to /relying-party.xml/
>
> <bean parent="RelyingPartyByName"
> c:relyingPartyIds="https://..../samlLogin">
> <property name="profileConfigurations">
> <list>
> <bean parent="SAML2.SSO"
> p:encryptAssertions="false" p:signAssertions="true"
> p:encryptNameIDs="false"/>
>
> However, the SAML response extract below suggests this does not seem to
> work
>
> /<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:
> transient"
> NameQualifier="https://.../idp/shibboleth"
> SPNameQualifier="https://.../samlLogin">
> *AAdzZWNyZXQxhqCyvp0AoTAcLu2yR5BufFgIHiwkFNHRH18y0F7E73EhUzyo
> S2FrWS1fjRCHngAAQgAeQdnzI0XCt080OG72GaeXGJlywVBn6+Z2o/
> xw7jPVuqsYSmhOuMi1bUzUNHYrQ6GQn5/NAk6VrhlU4IVQgOIzpHvGdsHhbKVkG
> 4mJBUiZd6UuVOYLqUnckY/pjz3QZCQh6CPrrxnAZ2QVQw==*
> </saml2:NameID>/
>
>
> They are also adamant that
>
> /NameID Format must either be not provided, or
> “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”, or
> “urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified”/
>
> Based on
> https://wiki.shibboleth.net/confluence/display/IDP30/
> CustomNameIDGenerationConfiguration,
> adding the attribute
> p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:
> nameid-format:unspecified"
> to the SAML2.SSO bean, under "RelyingPartyByName", results in a response
> with no saml2:NameID entry.
>
> In fact, I can only get that entry to appear by updating the
> attribute-resolver entry as below
>
> <AttributeDefinition xsi:type="Simple" id="UserName"
> sourceAttributeID="userName">
> <Dependency ref="scriptedAttributeConnector" />
> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42"
> nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> encodeType="false" />
>
> </AttributeDefinition>
>
> Thanks in advance...
>
>
>
>
> -----
> Syed
> --
> Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-
> f1660767.html
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180801/3733227b/attachment.html>
More information about the users
mailing list