Cherwell application (on-prem)

Peter Schober peter.schober at univie.ac.at
Sat Apr 27 06:42:59 EDT 2019 

* Lohr, Donald <lohrda at jmu.edu> [2019-04-26 22:56]:
> In the SP metadata is:
> 
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:*nameid-format:kerberos*</md:NameIDFormat>

Are you manageing the metadata for the SP or are you consuming their
metadata directly from somewhere else?

The IDP would use emailAddress if you had configured support for that
(e.g. for other services) because it's listed first.

Also why kerberos? The SAML spec defines that NameID format as:
  Kerberos principal name using the format name[/instance]@REALM.
but your sAMAccountName will not have an instance nor a REALM?

To me the more obvious NameID format to use to send a local,
unqualified userid (sAMAccountName) would be (note the second sentence
about omitting the qualifier):

urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
  A Windows domain qualified user name is a string of the form
  "DomainName\UserName". The domain name and "\" separator MAY be omitted.

> <resolver:AttributeDefinition id="sAMAccountName" xsi:type="ad:Simple"
> sourceAttributeID="cn">
>     <resolver:Dependency ref="oud" />
>     <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
> name="sAMAccountName" encodeType="false" />
> </resolver:AttributeDefinition>

1. Why would you use the resolver to generate NameIDs and not the
saml-nameid.xml configuation? Something like this should suffice
(within the "shibboleth.SAML2NameIDGenerators" list; assuming the
NameID format I suggested to use above):

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
    p:omitQualifiers="true"
    p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"
    p:attributeSourceIds="#{ {'sAMAccountName'} }" />

2. Why would you configure support for the "unspecified" NameID format
if you know the SP wants something else and you said above you want to
use kerberos?

So what you say you want to achieve and what you configured simply
does not match.

-peter

More information about the users mailing list