Set NameID format in relying party?

Baron Fujimoto baron at hawaii.edu
Wed Sep 11 22:58:19 EDT 2019 

On Wed, Sep 11, 2019 at 10:43:37AM +0200, Peter Schober wrote:
>* Baron Fujimoto <baron at hawaii.edu> [2019-09-11 05:34]:
>>         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>>             p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>>             p:attributeSourceIds="#{ {'mail'} }" />
>
>Aside 1:
>The distributed example configuration also contains this:
>  p:omitQualifiers="true"
>but maybe that was added later in the release cycle?
>Either way I'd add this here, too. (Not that SPs requiring use of
>email address NameIDs are likely to even look at those qualifiers.)
>
>>         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
>Aside 2: Encryption of NameIDs hasn't been the default for many, many
>years now (early 2.x releases, IIRC) so there's nothing to override if
>you want to disable those.

Good to know. I tend to create new entries using existing entries as templates, so this legacy has propagated forward cargo cult-wise.

>> The wiki says, "If the metadata contains nothing, or contains the
>> "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" value, then
>> the metadata is ignored." And, "Otherwise
>
>Exactly, otherwise meaning "If not absent or unspecified" and that
>conditional does not apply in your case.
>
>> Does this mean that the format listed in nameIDFormatPrecedence must
>> actually also be be present in the metadata? If so, it doesn't seem
>> like I gain anything by trying to set nameIDFormatPrecedence in the
>> SP's relying party entry.
>
>No, because (as you say) it would be nonsensical.

Ok, that makes sense to me, but I think a strict reading of the text implies that both conditions must be met (i.e., present in metadata and a matching format in the profile configuration) — "*the first Format in the profile configuration that is also in the metadata* and that results in a valid result will be used".

>> but I can't figure out exactly how to incorporate this into the
>> existing SP's RelyingParty entry.
>
>Sorry, I don't remember the old IDP 2.x configuration. Why don't you
>use the old v2.x documentation to figure this out?

I've pored over <https://wiki.shibboleth.net/confluence/display/SHIB2/IdPRelyingParty>, which says that a RelyingParty element supports the optional attribute "nameIDFormatPrecedence - A space delimited, ordered list of name identifier formats". I think the RelyingParty entry for the SP satisfies this:

    <RelyingParty id="https://sp.example.com"
            provider="https://idp.example.edu/idp/shibboleth"
            nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            defaultSigningCredentialRef="IdPCredential">
        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
    </RelyingParty>

>And logging, always logging.

I haven't been able to discern from the logs why the specifiednameIDFormatPrecedence attribute is not being applied. It appears to select the RelyingParty configuration... but then, "No formats specified in configuration or in metadata, returning default"? (I also don't understand the preceding, "No ProfileConfiguraton available" despite that also being present in the RelyingParty element? Is there a logging tweak that would be helpful?

DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://sp.example.com
DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration
DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:305] - Checking if relying party configuration https://sp.example.com is applicable
DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:307] - Relying party configuration https://sp.example.com is applicable
DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration https://sp.example.com for request

[... attribute resolution and filtering...]

DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:286] - Profile Action AddNameIDToSubjects: Attempting to add NameID to outgoing Assertion Subjects
DEBUG [org.opensaml.saml.common.profile.logic.AbstractNameIDPolicyPredicate:139] - No object to operate on, returning true
DEBUG [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:82] - Metadata specifies the following formats: []
DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:102] - No ProfileConfiguraton available (or not an AuthenticationProfileConfiguration)
DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:110] - No formats specified in configuration or in metadata, returning default
DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:323] - Profile Action AddNameIDToSubjects: Candidate NameID formats: [urn:oasis:names:tc:SAML:2.0:nameid-format:transient]
DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:396] - Profile Action AddNameIDToSubjects: Trying to generate NameID with Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
DEBUG [org.opensaml.saml.common.profile.impl.ChainingNameIdentifierGenerator:106] - Trying to generate identifier with Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
DEBUG [org.opensaml.saml.saml2.profile.AbstractSAML2NameIDGenerator:96] - Generating NameID AAdzZWNyZXQx8MnbB+GduKnOv/pfKDAbM5fC/J+BCu7pefFoDYhIsKxEyx36horgNLUXXUSpLX6HD8OoziUt7EDn+JNT2xucygW4B8jmDd4Cl2qRdqNrdPyo3+PDoZTk0R/y9T7lbCLAOHUsfQW25QoHqBbD5nTa0+fKIH+f/P/f68laIKBFRH8= with Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
DEBUG [org.opensaml.saml.common.profile.impl.ChainingNameIdentifierGenerator:118] - Successfully generated identifier with Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:400] - Profile Action AddNameIDToSubjects: Successfully generated NameID with Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:358] - Profile Action AddNameIDToSubjects: Added NameID to 1 assertion subject(s)

-- 
Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

More information about the users mailing list