Adobe SSO

Peter Schober peter.schober at univie.ac.at
Thu Aug 2 08:13:05 EDT 2018


* Jann Malenkoff <jannmalenkoff at gmail.com> [2018-08-02 09:24]:
> We have the following configure -- but for the life of me can't figure out
> why the NameID is not sent --- can anyone spot anything obvious we missed?
> 
> RELYING-PARTY.XML
> p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}}"

If you control a local copy of the SP's metadata (as you do) you don't
need to override the NameIDFormat here. The IDP uses what's listed
first in metadata.

> ADOBE METADATA IMPORTED
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> entityID="https://www.okta.com/saml2/service-provider/">

Hardly "ADOBE METADATA", btw.

>           <md:KeyDescriptor use="signing">

Assuming the metadata you sent was complete that means your IDP will
not even interop with that SP due to a lack of a key usable for
encryption -- unless you have globally set idp.encryption.optional in
your conf/idp.properties.

But encrypting NameIDs defaults to off for many many years now, so the
only thing this should affect (if the IDP completes SSO at all) are
the attributes you send along (FirstName, LastName, Email).
Which is not what this question of yours is about.

> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

Having that in the metadata will suffice.

> SAML-NAMEID.XML
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> 
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>             p:attributeSourceIds="#{ {'Email'} }" />

I'd add p:omitQualifiers="true" there for good measure but otherwise
that looks OK.

> ATRIBUTE-FILTER.XML
> 
> <AttributeFilterPolicy id="https://www.okta.com/saml2/service-provider/">
>         <PolicyRequirementRule xsi:type="Requester" value="https://www.okta.com/saml2/service-provider/"/>
[...]
>         <AttributeRule attributeID="Email">
>             <PermitValueRule xsi:type="ANY" />
>         </AttributeRule>
>     </AttributeFilterPolicy>

OK.

> ATTRIBUTE-RESOLVER.XML
> <resolver:AttributeDefinition id="Email" xsi:type="ad:Simple" sourceAttributeID="mail">
>     <resolver:Dependency ref="myLDAP" />
>     <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
> name="Email" encodeType="false" />
> </resolver:AttributeDefinition>

Unless the SP positively requires that nameformat (and you've verfied
that empirically, which you only can once you got it working with the
nonsensical format, and then work back from that) just leave the
default as per conf/attribute-resolver-full.xml, for of these
attributes.

TL;DR: Nothing really sticks out. You can always up the log level and
watch what gets set as NameID and what not, and why.

-peter


More information about the users mailing list