sign/encrypt assertions attributes not being honoured
sshabbir
sshabbir at bmj.com
Thu Aug 2 07:00:42 EDT 2018
>What value do they actually want in the NameID? Your attributeDefinition
>suggests you want to put an unscoped username in the field. If that is
>true, the format should not be "transient".
The value required in NameID is the username attribute, and format needs to
be "unspecified", urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. It
seems my AttributeDefinition is incorrect, and not sure what default urn
format is for "username". In our case username is unique, should I use "uid"
urn format
<AttributeDefinition xsi:type="Simple" id="userName"
sourceAttributeID="userName">
<Dependency ref="scriptedAttributeConnector" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42"
encodeType="false" />
</AttributeDefinition>
> The documentation to generate a NameID is here:
>
>
> https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration
>
> Read the "Format Selection" section carefully...
The SP metadata, or request, does not contain any required nameformat
policy:
<AuthnRequest ID="samlrequest_a269d35d782d4865b69a59d0b694fe61"
Version="2.0"
IssueInstant="2018-08-02T09:40:29.8535234Z"
AssertionConsumerServiceURL="https://...../login/samlLogin.d2l"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://.../samlLogin</Issuer>
</AuthnRequest>
So, I've tried to create a custom SSO bean, with precedence values, and
using that in "RelyingPartyByName". However, the nameID value is not
released in the response
<bean id="SAML2.SSO.custom" parent="SAML2.SSO"
p:nameIDFormatPrecedence="#{{
'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'}}" />
-----
Syed
--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
More information about the users
mailing list