Subject NameID format question

Aterea Brown atbrown at aut.ac.nz
Wed Nov 13 14:29:00 EST 2019 

Hi Mathis,

Typically I use the file saml-nameid.xml to set the persistent id generator to use the specified format.
you then only need to release the actual attribute to the sp.  So in this cause you would have a clause in attribute-filter.xml that releases eMailAddress.
Then in the  saml-nameid.xml you could have 2 entries for the sp.

you wil lneed an entry that will tell the generator not to use the default method.
then an entry that says for entityid blah use method xyz.

should be examples in that file.

--
Aterea Brown, AUT University
Cybersecurity, ICT
Email: atbrown at aut.ac.nz Phone: 9219999 x 6523
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Mathis, Bradley <bmathis at pima.edu>
Sent: Thursday, 14 November 2019 8:05 AM
To: Shib Users <users at shibboleth.net>
Cc: White, Jeff <jwhite at pima.edu>
Subject: Subject NameID format question


I have set setup SSO for couple of applications where the SP requires  Subject NameID format to be Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

I'm able to do this successfully only if I release a specific attribute that's defined in my attribute-resolver.xml  as "user_id"   e.g.

   <resolver:AttributeDefinition xsi:type="ad:Template" id="user_id">
    <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
    <ad:SourceAttribute>mail</ad:SourceAttribute>
</resolver:AttributeDefinition>


The part I don't understand is this I have at least 2 other attributes definitions in the attribute-resolver.xml that do not work if I release them instead,  such as the attribute "frshid"

<resolver:AttributeDefinition xsi:type="ad:Template" id="frshid">
    <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
    <ad:SourceAttribute>mail</ad:SourceAttribute>
</resolver:AttributeDefinition>


Here a snippet of the Subject from a SAML trace when it works releasing the attribute "user_id"

<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
             NameQualifier="https://idp.pima.edu/idp/shibboleth"
             SPNameQualifier="https://www.okta.com/saml2/service-provider/spin7qorz7IoNah7c0x7"
             >trename01 at pima.edu<mailto:trename01 at pima.edu></saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="144.90.132.76"
                              InResponseTo="id191289947414822031926171130"
                              NotOnOrAfter="2019-11-05T16:09:32.123Z"
                              Recipient="https://adbe-4bf37e265d9f449a0a495ce8-cdcd-prd.okta.com/auth/saml20/accauthlinktest"
                              />
</saml2:SubjectConfirmation>


Here's a snippet of the Subject from a SAML trace when it doesn't work releasing the attribute "frshid".



<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
             NameQualifier="https://idp.pima.edu/idp/shibboleth"
             SPNameQualifier="https://www.okta.com/saml2/service-provider/spin7qorz7IoNah7c0x7"
             >_fedcaab0bd32f85998a32e26b7ed8e73</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="144.90.132.76"
                              InResponseTo="id191277203610250932120081916"
                              NotOnOrAfter="2019-11-05T15:48:05.448Z"
                              Recipient="https://adbe-4bf37e265d9f449a0a495ce8-cdcd-prd.okta.com/auth/saml20/accauthlinktest"
                              />
</saml2:SubjectConfirmation>



Why does it only work when I use the attribute "user_id"?  I'm glad I was able to make it work but not happy that I don't understand why.    I will be happy to answer any questions for further clarification if needed.

Thanks for any feedback.

































Brad Mathis
IT Systems Architect (Acting)
Infrastructure Services - Applications
Pima Community College
520.206.4826
bmathis at pima.edu<mailto:bmathis at pima.edu>

[https://docs.google.com/uc?export=download&id=1kpePdW3WkXNvx95EBuHo26kg1x50E5s4&revid=0B4QEFWYNTFJAcnoxVkhJaGtHaHBqdEI2SENTN0J1ODJmUkg0PQ]





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191113/e88b9bd2/attachment.html>

More information about the users mailing list