Access Denied
Peter Schober
peter.schober at univie.ac.at
Fri Jul 27 09:55:40 EDT 2018
* Tabitha O. Locklear <tabithao.locklear at uncp.edu> [2018-07-27 15:35]:
> Attribute-Resolver.xml
> V3
>
> <resolver:AttributeDefinition id="Login" xsi:type="ad:Simple"
> sourceAttributeID="sAMAccountName">
> <resolver:Dependency ref="myLDAP" />
>
>
> Saml-nameid.xml
>
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:transient"
> p:attributeSourceIds="#{ {'Login'} }" >
> </bean>
sAMAccountName does not have "transient semantics", as required for
transient NameIDs by the SAML specification. So while your old config
also had that it's a violation of the SAML spec -- are you positive
the SP requires the transient NameID format? If not use any other
NameID format, including sAMAccountName's formal name as p:format
above.
> Relying-Party.xml
> V3
> <bean parent="RelyingPartyByName" c:relyingPartyIds="https://uncp.saasit.com/">
> <property name="profileConfigurations">
> <list>
> <!-- Your refs or beans here. -->
> <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1:1:nameid-format:unspecified" p:encryptAssertions="false" p:encryptNameIDs="false" p:signAssertions="true" p:signResponses="false"/>
> </list>
> </property>
> </bean>
First you're stuffing sAMAccountName into a transient NameID, but then
you're setting the preferred NameID format for that SP to
"unspecified". That doesn't make sense to me.
-peter
More information about the users
mailing list