Subject NameID format question

Mathis, Bradley bmathis at pima.edu
Wed Nov 13 14:43:02 EST 2019 

Thank you for your response Aterea,   I forgot to mention (and I meant to)
.. I'm using idp 2.x ... at least in production.   I do have idp 3.x setup
in test and can see the file you are referring to .. and it appears I
actually have used that file to help setup SSO for gmail at one point.
 Thanks again.

Still looking for any feedback on why things are happening the way they are
in my idp 2.x environment.. if anyone has an idea ..

Thanks!

Brad Mathis
IT Systems Architect (Acting)
Infrastructure Services - Applications
Pima Community College
520.206.4826
bmathis at pima.edu









On Wed, Nov 13, 2019 at 12:29 PM Aterea Brown <atbrown at aut.ac.nz> wrote:

> Hi Mathis,
>
> Typically I use the file saml-nameid.xml to set the persistent id
> generator to use the specified format.
> you then only need to release the actual attribute to the sp.  So in this
> cause you would have a clause in attribute-filter.xml that releases
> eMailAddress.
> Then in the  saml-nameid.xml you could have 2 entries for the sp.
>
> you wil lneed an entry that will tell the generator not to use the default
> method.
> then an entry that says for entityid blah use method xyz.
>
> should be examples in that file.
>
> --
> Aterea Brown, AUT University
> Cybersecurity, ICT
> Email: atbrown at aut.ac.nz Phone: 9219999 x 6523
> ------------------------------
> *From:* users <users-bounces at shibboleth.net> on behalf of Mathis, Bradley
> <bmathis at pima.edu>
> *Sent:* Thursday, 14 November 2019 8:05 AM
> *To:* Shib Users <users at shibboleth.net>
> *Cc:* White, Jeff <jwhite at pima.edu>
> *Subject:* Subject NameID format question
>
>
> I have set setup SSO for couple of applications where the SP requires
>  Subject NameID format to be
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>
> I'm able to do this successfully only if I release a specific attribute
> that's defined in my attribute-resolver.xml  as "user_id"   e.g.
>
>    <resolver:AttributeDefinition xsi:type="ad:Template" id="user_id">
>     <resolver:Dependency ref="myLDAP" />
>     <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
> nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
>     <ad:SourceAttribute>mail</ad:SourceAttribute>
> </resolver:AttributeDefinition>
>
>
> The part I don't understand is this I have at least 2 other attributes
> definitions in the attribute-resolver.xml that do not work if I release
> them instead,  such as the attribute "frshid"
>
> <resolver:AttributeDefinition xsi:type="ad:Template" id="frshid">
>     <resolver:Dependency ref="myLDAP" />
>     <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
> nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
>     <ad:SourceAttribute>mail</ad:SourceAttribute>
> </resolver:AttributeDefinition>
>
>
> Here a snippet of the Subject from a SAML trace when it works releasing
> the attribute "user_id"
>
> <saml2:Subject>
> <saml2:NameID Format="
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>              NameQualifier="https://idp.pima.edu/idp/shibboleth"
>              SPNameQualifier="
> https://www.okta.com/saml2/service-provider/spin7qorz7IoNah7c0x7"
>              >trename01 at pima.edu</saml2:NameID>
> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData Address="144.90.132.76"
>                               InResponseTo="id191289947414822031926171130"
>                               NotOnOrAfter="2019-11-05T16:09:32.123Z"
>                               Recipient="
> https://adbe-4bf37e265d9f449a0a495ce8-cdcd-prd.okta.com/auth/saml20/accauthlinktest
> "
>                               />
> </saml2:SubjectConfirmation>
>
>
> Here's a snippet of the Subject from a SAML trace when it doesn't work
> releasing the attribute "frshid".
>
>
>
> <saml2:Subject>
> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>              NameQualifier="https://idp.pima.edu/idp/shibboleth"
>              SPNameQualifier="
> https://www.okta.com/saml2/service-provider/spin7qorz7IoNah7c0x7"
>              >_fedcaab0bd32f85998a32e26b7ed8e73</saml2:NameID>
> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData Address="144.90.132.76"
>                               InResponseTo="id191277203610250932120081916"
>                               NotOnOrAfter="2019-11-05T15:48:05.448Z"
>                               Recipient="
> https://adbe-4bf37e265d9f449a0a495ce8-cdcd-prd.okta.com/auth/saml20/accauthlinktest
> "
>                               />
> </saml2:SubjectConfirmation>
>
>
>
> Why does it only work when I use the attribute "user_id"?  I'm glad I was
> able to make it work but not happy that I don't understand why.    I will
> be happy to answer any questions for further clarification if needed.
>
> Thanks for any feedback.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Brad Mathis
> IT Systems Architect (Acting)
> Infrastructure Services - Applications
> Pima Community College
> 520.206.4826
> bmathis at pima.edu
>
>
>
>
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191113/ed6ef091/attachment.html>

More information about the users mailing list