Set NameID format in relying party?
Baron Fujimoto
baron at hawaii.edu
Tue Sep 10 23:33:51 EDT 2019
We're running IdP 3.2.1[*] with legacy V2 conf files. I'm trying to provide an email type value in the NameID for a particular SP. My primary reference has been this wiki page: <https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration>
I have a saml-nameid.xml entry that looks like this:
<!-- SAML 2 NameID Generation -->
<util:list id="shibboleth.SAML2NameIDGenerators">
<ref bean="shibboleth.SAML2TransientGenerator" />
...
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
</util:list>
and a relying-party.xml for the SP that looks like:
<RelyingParty id="https://sp.example.com"
provider="https://idp.example.edu/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
If the metadata for the SP includes a NameIDFormat element like this, it seems to work as expected.
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
However, I added that element myself. It was originally "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", which resulted in the NameID being a transientID.
I'd like to leave the original metadata unmodified and override the NameIDFormat in the SP's relying party entry with something like the following:
<RelyingParty id="https://sp.example.com"
provider="https://idp.example.edu/idp/shibboleth"
nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
But when I try this, I still get a transientID in the NameID.
The wiki says, "If the metadata contains nothing, or contains the "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" value, then the metadata is ignored." And, "Otherwise the formats specified in an SP's metadata are filtered against a nameIDFormatPrecedence profile configuration property, if set, and the resulting set of Formats is tried in order. That is, the first Format in the profile configuration that is also in the metadata and that results in a valid result will be used."
Does this mean that the format listed in nameIDFormatPrecedence must actually also be be present in the metadata? If so, it doesn't seem like I gain anything by trying to set nameIDFormatPrecedence in the SP's relying party entry. But if not, what is the correct way to to this? My attempt to set it as a property of the RelyingParty element doesn't seem to have the desired effect. The wiki page linked from "profile configuration" <https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration> seems to provide a relevant example
<bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
but I can't figure out exactly how to incorporate this into the existing SP's RelyingParty entry.
Any suggestions would be appreciated!
[*] Yes, I know... plans to upgrade to 3.4.x are underway, but we need to support this in the meanwhile.
--
Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
More information about the users
mailing list