IdP implementation roadmap

Yakov Revyakin yrevyakin at gmail.com
Fri Apr 19 03:32:53 EDT 2019 

Cool, only one thing - it doesn't work for me in this way.

Full SP metadata is:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="IAMShowcase"
validUntil="2025-12-09T09:13:31.006Z">
   <md:SPSSODescriptor AuthnRequestsSigned="false"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
      <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://sptest.iamshowcase.com/acs" index="0" isDefault="true"/>
   </md:SPSSODescriptor>
</md:EntityDescriptor>

saml-nameid.xml contains the following as you said:
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
      p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
      p:attributeSourceIds="#{ {'mail'} }">
</bean>

log contains:
2019-04-19 10:12:40,193 - 127.0.0.1 - WARN
[org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:74]
- Ignoring NameIDFormat metadata that includes the 'unspecified' format

Resulting SAMLResponse doesn't include any NameID.

If I remove explicitly

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
from metadata it works properly and I can see NameID filled with mail.

What have I broken?








On Thu, 18 Apr 2019 at 19:26, Andrew Morgan <morgan at orst.edu> wrote:

> On Thu, 18 Apr 2019, Yakov Revyakin wrote:
>
> > Hi guys, thanks to you I have done some steps forward.
> >
> > Could you help me understand how the IdP manages the following related
> case
> > to get NameID in format of emailAddress:
> > 1) SP metadata includes
> >
> >
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
> >
> >
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>
> The unspecified format is ignored in metadata.  In this case, only the
> emailAddress format will be used.
>
> > 2) authnrequest doesn't include any NameIDPolicy records
> > 3) AttributeResolver&Filter provide 'mail'
> > (urn:oid:0.9.2342.19200300.100.1.3)
> >
> > Is next step to modify saml-nameid.xml in the following way?
> >
> > <util:list id="shibboleth.SAML2NameIDGenerators">
> >    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> >      p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> >      p:attributeSourceIds="#{ {'mail'} }">
> >
> >      <property name="activationCondition">
> >          <bean parent="shibboleth.Conditions.RelyingPartyId"
> > c:candidate="IAMShowcase" />
> >      </property>
> >    </bean>
> > </util:list>
>
> You don't need an activationCondition here, unless you really only want to
> release the 'mail' attribute to emailAddress NameID format request for
> this specific SP.  If you want to release the 'mail' attribute as the
> NameID when *any* SP requests emailAddress format, leave out the
> activationCondition.
>
> > And relying-party.xml in the following way? (As the request doesn't
> include
> > NameIDPolicy)
> >    <util:list id="shibboleth.RelyingPartyOverrides">
> >        <bean parent="RelyingPartyByName" c:relyingPartyIds="IAMShowcase">
> >            <property name="profileConfigurations">
> >                <list>
> >                    <bean parent="SAML2.SSO"
> >
> p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> > />
> >                </list>
> >            </property>
> >        </bean>
> >    </util:list>
>
> You don't need a nameIDFormatPrecedence override in relying-party.xml if
> the NameID format is specified in metadata or in the SAML authn request.
>
> > Is there any way to automate the behavior using information about
> > NameIDFormat presented in metadata and exclude 2 last steps?
>
> Yes.  You don't need an override in relying-party.xml when the metadata
> contains a NameID Format.
>
> You do need to add a NameID generator to saml-nameid.xml so that the
> Shibboleth IDP can response to emailAddress NameID formats, but it doesn't
> need an activationCondition specific to a single SP.
>
> Thanks,
>         Andy
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190419/8ebd373a/attachment.html>

More information about the users mailing list