Adobe SSO

Jann Malenkoff jannmalenkoff at gmail.com
Thu Aug 2 03:24:04 EDT 2018 

We've been pulling our hair our with Adobe SSO --- why or why do they make
life harder for all...

We have the following configure -- but for the life of me can't figure out
why the NameID is not sent --- can anyone spot anything obvious we missed?


RELYING-PARTY.XML
<bean parent="RelyingPartyByName"
                      c:relyingPartyIds="
https://www.okta.com/saml2/service-provider/">
            <property name="profileConfigurations">
                <list>
                   <bean     parent="SAML2.SSO"

p:postAuthenticationFlows="#{{'touPweFlow','attribute-release'}}"

p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}}"
/>
                    <bean parent="SAML2.Logout" />
                </list>
            </property>
      </bean>


ADOBE METADATA IMPORTED
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://www.okta.com/saml2/service-provider/">
       <md:SPSSODescriptor AuthnRequestsSigned="false"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
          <md:KeyDescriptor use="signing">
             <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                   <ds:X509Certificate>

MIIC1zCCAkCgAwIBAgIGAWLZL1l6MA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJVUzETMBEG

A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

MBIGA1UECwwLU1NPUHJvdmlkZXIxLzAtBgNVBAMMJmFkYmUtMDE2MzM2NzE1YWQ2ODFiYzBhNDk1

ZThhLTM2YjItcHJkMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMB4XDTE4MDQxODE0MzUy

MVoXDTI4MDQxODE0MzYyMVowga4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw

FAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRl

cjEvMC0GA1UEAwwmYWRiZS0wMTYzMzY3MTVhZDY4MWJjMGE0OTVlOGEtMzZiMi1wcmQxHDAaBgkq

hkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMlj7W+L

G5bDisDrZopfTJR2FY1qNu2tZr45PSlnFElrRf2WfSw+2B75sqnxaeFNyLITk+9/Z7qD7k/wghhc

1TJHO3HVMJw8nNOAop9IKwmosc6URLZlKHUJQArbuT077GGL/sFAsx9GWpE4k34W7C6/t2/X/77v

HKnPwnO4+FwfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAg8CT/fSsoE5K3Nbddd13BkjMEUDmkeZB

1Ry8NbGeIp7UDWr3+Alqu9X+CzINzY4JH+iAAuYg/cuxKWvUCd+NJkX2NN/AWpH1aIqEfXD6MlzT

1Hv5NVyxILiWHo3NY0hO9lJsHrLD0vb+ziL/KjIDWANJNy35d7uN3zFq3H0aI6Y=
                    </ds:X509Certificate>
                </ds:X509Data>
             </ds:KeyInfo>
          </md:KeyDescriptor>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
          <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://adbe-016336715ad681bc0a495e8a-36b2-prd.okta.com/auth/saml20/accauthlinktest"
index="0" isDefault="true" />
       </md:SPSSODescriptor>
    </md:EntityDescriptor>


SAML-NAMEID.XML
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"

p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'Email'} }" />


ATRIBUTE-FILTER.XML

<AttributeFilterPolicy id="https://www.okta.com/saml2/service-provider/">
        <PolicyRequirementRule xsi:type="Requester"
                           value="
https://www.okta.com/saml2/service-provider/"/>

        <AttributeRule attributeID="FirstName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="LastName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="Email">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

    </AttributeFilterPolicy>


ATTRIBUTE-RESOLVER.XML
<resolver:AttributeDefinition id="Email" xsi:type="ad:Simple"
sourceAttributeID="mail">
    <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
name="Email" encodeType="false" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="LastName" xsi:type="ad:Simple"
sourceAttributeID="sn">
    <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
name="LastName" encodeType="false" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="FirstName" xsi:type="ad:Simple"
sourceAttributeID="givenName">
    <resolver:Dependency ref="myLDAP" />

    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
name="FirstName" encodeType="false" />
</resolver:AttributeDefinition>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180802/eb229b35/attachment.html>

More information about the users mailing list