NameID in clear text
Peter Schober
peter.schober at univie.ac.at
Thu Nov 22 17:58:57 EST 2018
* Pagnotta Angelo <Angelo.Pagnotta at avasad.ch> [2018-11-22 19:16]:
> Is there an easy way to transmit the nameid in clear text? we need
> to use the samaccountname...
NameIDs almost always are sent as clear text (EncryptedIDs exist in
the spec and Shibboleth supports them, but they are very rarely ever
seen in the wild), so you're probably mistaken to begin with.
First, in order to send the samaccountname attribute I'd avoid NameIDs
and send it as a SAML attribute instead. Since local login names are
not globally unique you might consider sending it as an IDP-scoped
attribute, e.g. as eduPersonPrincipalName,
cf. http://macedir.org/specs/eduperson/#eduPersonPrincipalName
Only if that's not an option (because the receiving end is basically
broken and doesn't support SAML attributes at all) then you'd read the
fine documentation for the IDP, starting at:
https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration
Then pick a suitable NameIDFormat. The SAML spec has a likely candidate:
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
A Windows domain qualified user name is a string of the form
"DomainName\UserName".
The domain name and "\" separator MAY be omitted.
Assuming you have a locally defined samaccountname attribute available
in your attribute resolver, all it takes to put that inside a NameID
of that format is to add an "SAML2AttributeSourcedGenerator" to your
conf/saml-nameid.xml and set the format to the NameID format above,
and the attributeSourceIds to the id of your samaccountname attribute
in your resolver. Add p:omitQualifiers="true" for good measure.
Next make sure the SAML 2.0 Metadata for the SP in question has that
NameIDFormat listed (i.e., add it as first and/or only format).
If that's not an option (because the metadata is managed elsewhere)
read the documentation how to override that (relying party overrides).
Finally, release the samaccountname attribute in your attribute
filter.
Reload the resolver (if you changed anything there), the NameID
configiuration and the filter and you should be good to go.
Test with the aacli with the --saml2 option, then you'll see
attributes *and* NameIDS being sent to the SP.
-peter
More information about the users
mailing list