Subject NameID format question

Mathis, Bradley bmathis at pima.edu
Wed Nov 13 14:05:36 EST 2019 

I have set setup SSO for couple of applications where the SP requires
 Subject NameID format to be
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

I'm able to do this successfully only if I release a specific attribute
that's defined in my attribute-resolver.xml  as "user_id"   e.g.

   <resolver:AttributeDefinition xsi:type="ad:Template" id="user_id">
    <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
    <ad:SourceAttribute>mail</ad:SourceAttribute>
</resolver:AttributeDefinition>


The part I don't understand is this I have at least 2 other attributes
definitions in the attribute-resolver.xml that do not work if I release
them instead,  such as the attribute "frshid"

<resolver:AttributeDefinition xsi:type="ad:Template" id="frshid">
    <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
    <ad:SourceAttribute>mail</ad:SourceAttribute>
</resolver:AttributeDefinition>


Here a snippet of the Subject from a SAML trace when it works releasing the
attribute "user_id"

<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
"
             NameQualifier="https://idp.pima.edu/idp/shibboleth"
             SPNameQualifier="
https://www.okta.com/saml2/service-provider/spin7qorz7IoNah7c0x7"
             >trename01 at pima.edu</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="144.90.132.76"
                              InResponseTo="id191289947414822031926171130"
                              NotOnOrAfter="2019-11-05T16:09:32.123Z"
                              Recipient="
https://adbe-4bf37e265d9f449a0a495ce8-cdcd-prd.okta.com/auth/saml20/accauthlinktest
"
                              />
</saml2:SubjectConfirmation>


Here's a snippet of the Subject from a SAML trace when it doesn't work
releasing the attribute "frshid".



<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
             NameQualifier="https://idp.pima.edu/idp/shibboleth"
             SPNameQualifier="
https://www.okta.com/saml2/service-provider/spin7qorz7IoNah7c0x7"
             >_fedcaab0bd32f85998a32e26b7ed8e73</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="144.90.132.76"
                              InResponseTo="id191277203610250932120081916"
                              NotOnOrAfter="2019-11-05T15:48:05.448Z"
                              Recipient="
https://adbe-4bf37e265d9f449a0a495ce8-cdcd-prd.okta.com/auth/saml20/accauthlinktest
"
                              />
</saml2:SubjectConfirmation>



Why does it only work when I use the attribute "user_id"?  I'm glad I was
able to make it work but not happy that I don't understand why.    I will
be happy to answer any questions for further clarification if needed.

Thanks for any feedback.

































Brad Mathis
IT Systems Architect (Acting)
Infrastructure Services - Applications
Pima Community College
520.206.4826
bmathis at pima.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191113/9e8bc767/attachment.html>

More information about the users mailing list