IdP implementation roadmap
Yakov Revyakin
yrevyakin at gmail.com
Thu Apr 18 09:39:25 EDT 2019
Hi guys, thanks to you I have done some steps forward.
Could you help me understand how the IdP manages the following related case
to get NameID in format of emailAddress:
1) SP metadata includes
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
2) authnrequest doesn't include any NameIDPolicy records
3) AttributeResolver&Filter provide 'mail'
(urn:oid:0.9.2342.19200300.100.1.3)
Is next step to modify saml-nameid.xml in the following way?
<util:list id="shibboleth.SAML2NameIDGenerators">
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }">
<property name="activationCondition">
<bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidate="IAMShowcase" />
</property>
</bean>
</util:list>
And relying-party.xml in the following way? (As the request doesn't include
NameIDPolicy)
<util:list id="shibboleth.RelyingPartyOverrides">
<bean parent="RelyingPartyByName" c:relyingPartyIds="IAMShowcase">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO"
p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
/>
</list>
</property>
</bean>
</util:list>
Is there any way to automate the behavior using information about
NameIDFormat presented in metadata and exclude 2 last steps?
Thanks,
Jake
On Tue, 16 Apr 2019 at 19:35, Andrew Morgan <morgan at orst.edu> wrote:
> On Tue, 16 Apr 2019, Yakov Revyakin wrote:
>
> > I ask you push me somehow to understand a roadmap:
> > 1) How to make Shib IdP and metadata-*less *SP friends?
>
> As others have said, you just create a metadata file by inserting the
> entityID and ACS URL of the SP. The IDP operates from metadata, so you'll
> need to make metadata somehow.
>
> > 2) How to force the IdP to return the user name inside NameID tag with
> > NameIDFormat set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>
> This wiki page explains it:
>
>
> https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration
>
> Here is a sample for saml-nameid.xml you might be able to use:
>
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> p:attributeSourceIds="#{ {'uid'} }">
> <property name="activationCondition">
> <bean parent="shibboleth.Conditions.OR">
> <constructor-arg>
> <list>
> <bean parent="shibboleth.Conditions.RelyingPartyId"
> c:candidate="https://sp1" />
> <bean parent="shibboleth.Conditions.RelyingPartyId"
> c:candidate="https://sp2" />
> </list>
> </constructor-arg>
> </bean>
> </property>
> </bean>
>
> This will generate an "unspecified" format NameID from the "uid" attribute
> for an SP with entityID of "https://sp1" or "https://sp2".
>
> You will also need to add an override to relying-party.xml to force the
> use of the "unspecified" NameID for these SPs. That is documented at the
> bottom of the wiki page.
>
> Thanks,
> Andy
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190418/5f171b2e/attachment.html>
More information about the users
mailing list