Problems generating/releasing a NameID.

Ernie Kinsey Ernie.Kinsey at cpcc.edu
Fri Sep 28 08:02:47 EDT 2018 

To all,

I'm having an unusual issue getting Shibboleth to authenticate with WebEx.  Essentially, I have two WebEx instances (test and production) and two Shibboleth instances (also test and production).  My test-Shibboleth to test-WebEx integration works fine, and so far as I can tell, the configuration of the two Shibboleth instances are identical in terms of configuration.  Nevertheless, my production Shibboleth instance refuses to send a complete SAML assertion to the production WebEx instance; specifically, it's refusing to add the NameID.  Here's what happed the last time I attempted this with production-Shibboleth talking to production-WebEx:

                2018-09-21 02:59:15,764 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:286] - Profile Action AddNameIDToSubjects: Attempting to add NameID to outgoing Assertion Subjects
                2018-09-21 02:59:15,765 - DEBUG [org.opensaml.saml.common.profile.logic.AbstractNameIDPolicyPredicate:218] - Policy checking disabled for NameIDPolicy with Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
                2018-09-21 02:59:15,766 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format
                2018-09-21 02:59:15,767 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:100] - Configuration specifies the following formats: [urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress]
                2018-09-21 02:59:15,767 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:117] - Metadata did not specify any formats, relying on configuration alone
                2018-09-21 02:59:15,768 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:323] - Profile Action AddNameIDToSubjects: Candidate NameID formats: [urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress]
                2018-09-21 02:59:15,768 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:396] - Profile Action AddNameIDToSubjects: Trying to generate NameID with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
                2018-09-21 02:59:15,769 - DEBUG [org.opensaml.saml.common.profile.impl.ChainingNameIdentifierGenerator:106] - Trying to generate identifier with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
                2018-09-21 02:59:15,770 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:341] - Profile Action AddNameIDToSubjects: Unable to generate a NameID, leaving empty

As you can see, it's NOT able to generate a NameID.  The same thing on the test-Shibboleth to test-WebEx goes like this:

                2018-09-25 10:29:55,100 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:286] - Profile Action AddNameIDToSubjects: Attempting to add NameID to outgoing Assertion Subjects
                2018-09-25 10:29:55,101 - DEBUG [org.opensaml.saml.common.profile.logic.AbstractNameIDPolicyPredicate:218] - Policy checking disabled for NameIDPolicy with Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
                2018-09-25 10:29:55,101 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format
                2018-09-25 10:29:55,102 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:100] - Configuration specifies the following formats: [urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress]
                2018-09-25 10:29:55,102 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:117] - Metadata did not specify any formats, relying on configuration alone
                2018-09-25 10:29:55,103 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:323] - Profile Action AddNameIDToSubjects: Candidate NameID formats: [urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress]
                2018-09-25 10:29:55,103 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:396] - Profile Action AddNameIDToSubjects: Trying to generate NameID with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
                2018-09-25 10:29:55,104 - DEBUG [org.opensaml.saml.common.profile.impl.ChainingNameIdentifierGenerator:106] - Trying to generate identifier with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
                2018-09-25 10:29:55,104 - DEBUG [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:197] - Checking for source attribute WebExEmail
                2018-09-25 10:29:55,104 - DEBUG [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:216] - Generating NameID from String-valued attribute WebExEmail
                2018-09-25 10:29:55,105 - DEBUG [org.opensaml.saml.saml2.profile.AbstractSAML2NameIDGenerator:96] - Generating NameID Ernie.Kinsey at cpcc.edu with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
                2018-09-25 10:29:55,105 - DEBUG [org.opensaml.saml.common.profile.impl.ChainingNameIdentifierGenerator:118] - Successfully generated identifier with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
                2018-09-25 10:29:55,106 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:400] - Profile Action AddNameIDToSubjects: Successfully generated NameID with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
                2018-09-25 10:29:55,106 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:358] - Profile Action AddNameIDToSubjects: Added NameID to 1 assertion subject(s)

.... Where there's absolutely no problem generating a NameID.  Keeping in mind that the two Shibboleth configurations match, and that when I try this, the admin panel for the two WebEx instances also match, I'm at a loss to understand how in the world this is happening.  Finally, I engaged with Cisco to compare the test and production WebEx instance to one another on the off chance there's was something about how they're set up that isn't matching - but this didn't show any differences of the sort that might be relevant.

I've seen references to the general issue of a NameID not being generated (most of them having to do with the saml-nameid.xml file), but so far as I can tell, none of the problem resolutions I saw describe things in my Shibboleth configuration.  Any suggestions about other things I might check would be very much appreciated; even better, if someone's had an experience like this, any information about how that was resolved would be a huge help.

Thanks,
Ernest K. Kinsey, Jr.
Central Piedmont Community College
Charlotte, NC 28211

________________________________

This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180928/c45e444c/attachment.html>

More information about the users mailing list