Persistent NameID attribute does not appear to be released.

Mathis, Bradley bmathis at pima.edu
Wed Apr 8 11:16:51 EDT 2020 

Howdy all,    Note: Please I'm using idp 2.x for reasons beyond my control
.. please don't crucify me for that... I'm sure there are many other things
to crucify me for :-)

  I'm attempting to setup SSO with the cloud service product "Beyond Trust"
.... the metadata being generated from the SP side appears to require a
persistent nameid as that's the only type listed in the metadata.   I
attempted to get it to work by just using the default attribute that are
released to everyone.   That caused a message similar to invalid NameId or
NameID format not supported.  That wasn't surprising.  I don't think I have
any other relying parties that require persistent name id.  so I have never
configured this before

So my problem is I have now configured an attribute "BeyondTrustUsername"
in the attribute-resolver that uses the persistent nameid ... I get past
the invalid nameid format message.   But the attribute does not appear to
be released.  I have configured the "BeyondTrustUsername" attribute in
the attribute-filter.xml to release to anyone.  When starting shib I can
see references to the Attribute definition being parsed in the idp-process
log and no errors.    But when I attempt to login to the application I
don't see the attribute being released ...(at least not in SAML tracer) .
To me appears that the attribute is available but not being released.  The
attribute I created was "BeyondTrustUsername"

Here's what I added to attribute-resolver.xml for it:

<resolver:AttributeDefinition id="BeyondTrustUsername" xsi:type="Simple"

                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"

                              sourceAttributeID="uid">


    <resolver:Dependency ref="myLDAP"/>


    <resolver:AttributeEncoder xsi:type="SAML2StringNameID"

                               xmlns=
"urn:mace:shibboleth:2.0:attribute:encoder"

                               nameFormat=
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />

</resolver:AttributeDefinition>

The AttributeDefinition above appears to load OK  ..

Here's what I added to the attribute-filer.xml  in the release to anyone
section:

        <afp:AttributeRule attributeID="BeyondTrustUsername">

            <afp:PermitValueRule xsi:type="basic:ANY" />

        </afp:AttributeRule>


The other attributes release OK ...(though the are not of the persistent
nameid format)



Here's what I get in my saml trace .... sorry for posting all of this but I
want to make sure I have given enough information to be helpful.


<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://pima.beyondtrustcloud.com/saml/sso" ID=
"_351200422a172aea25cd30be76dbcddf" InResponseTo=
"BG_f625d575141079be3df1d946780cf2b434b84194" IssueInstant=
"2020-04-08T09:44:40.384Z" Version="2.0" > <saml2:Issuer xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
https://idp.pima.edu/idp/shibboleth</saml2:Issuer> <saml2p:Status> <
saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </
saml2p:Status> <saml2:Assertion xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" ID=
"_45cbaeda010b480dec5ae25542abfdca" IssueInstant="2020-04-08T09:44:40.384Z"
Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" > <saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://idp.pima.edu/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
" /> <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI=
"#_45cbaeda010b480dec5ae25542abfdca"> <ds:Transforms> <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <
ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <
ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>
zC3J771Z4myufNbeoZL3dqUfxu8=</ds:DigestValue> </ds:Reference> </
ds:SignedInfo> <ds:SignatureValue>
SCcJ6oB2KdDqMAivUtr8FZOd4QOvjt/jBm3U7kOkc36fpBsqWDZN3kjMlCFgvrpEgzJnUqP84sDgRHL3/8wlAObeY0niphMztfOibKaijMp5DzsKt01n0F8SAUgiCMCtMNyRDcUlAKA5rSEwz7Oom6KIhzaB51evaEr8Wx0Ig+UOhdzMN7VLSKWzoFqZUW76nEc+6lMDZ5teMMj00xcBaQewyR/Q/uAgOl+7gxcRpL5WnFaXYkx58sUtCS4PeFrznAlTHxTF2uHbdX72enst7hcerJPVM3q1J5/TP7FwrHaFLlINNGy4D0lQhyuqOxjRz/xQe2caCPyLMjek1H/9Kw==
</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data>
<ds:X509Certificate>MIIDHDCCAgSgAwIBAgIVAI8RApJaLNJSvMXpCrnt7hb5JMR2MA0GCSqGSIb3DQEBBQUAMBcxFTAT
BgNVBAMTDGlkcC5waW1hLmVkdTAeFw0xMzEyMTExNjE3MTFaFw0zMzEyMTExNjE3MTFaMBcxFTAT
BgNVBAMTDGlkcC5waW1hLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKaONUO2
QeOvi5wklyGNDnrsp1rWU3SxoRK1FKCd2SUJXJnmanY3udbCtjEO+VKrhGkc/c+9QOwWGA2n7t9U
5S/vvmJNCI1zu6q9Jnr7osAnPYwSZ8Ee36HK4epL47vyLjqBC1psspkyBgKwe6h+Dk7QZXXMeClq
6GuTDRCyEyr0uXgXxbZtvOHjMtNzSZHNPIgd8CTLhXS0K9+zS+67HRRueSfMpXNKtGhnxXlefCNZ
hJeUpMf58DxoGmqko6sy7n6Y2d7gdJUDuAO9Wu1ZDY1Ts4KPoyuFMHzFNyI+13RWDkDqPtDaxBNZ
JRaFPi1pPdW8zBYuQFXxBI5RiNyktbUCAwEAAaNfMF0wPAYDVR0RBDUwM4IMaWRwLnBpbWEuZWR1
hiNodHRwczovL2lkcC5waW1hLmVkdS9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU1NqJMb5Tjvls
997bnBJR/IFIke4wDQYJKoZIhvcNAQEFBQADggEBAAPJBOHUQ/toEICXbgm/6KOezWlpsj0wT9Pt
ZCV00w01+/PIp41j6ChZOi5aznKyje1mXJ7zhs9LsohEJG5M6+2aaOb4DDG2H/WZB/yr4LKwt5zm
wZkNEhDFpzYjlDAf8czEvAPFeO53kxILu42BEntqyEPqBH8L+8mifwcOiZTr1LUkjeG2iCrZ+4Ae
pJuq60mNjdDp78bOnQPTraPsrwysIBO+D0IU70zbJdlTTjqaDNcSc3EJTHGKT8FTBZ4AhAqFSC7Y
8szne3fNsoCZgy3JUCiYvFqkeZNXqRsWAfh40Tv6+3GYpfV3wLPnSTqH/35dNRD3MJebUFZzPCZd
c2E=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <
saml2:Subject> <saml2:NameID Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="
https://idp.pima.edu/idp/shibboleth" SPNameQualifier="
https://pima.beyondtrustcloud.com" >trename01</saml2:NameID> <
saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <
saml2:SubjectConfirmationData Address="144.90.132.128" InResponseTo=
"BG_f625d575141079be3df1d946780cf2b434b84194" NotOnOrAfter=
"2020-04-08T09:49:40.384Z" Recipient="
https://pima.beyondtrustcloud.com/saml/sso" /> </saml2:SubjectConfirmation>
</saml2:Subject> <saml2:Conditions NotBefore="2020-04-08T09:44:40.384Z"
NotOnOrAfter="2020-04-08T09:49:40.384Z" > <saml2:AudienceRestriction> <
saml2:Audience>https://pima.beyondtrustcloud.com</saml2:Audience> </
saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement
AuthnInstant="2020-04-08T09:44:40.208Z" SessionIndex=
"_4e6aa2f2f8b87542705c10630fd9fb2c" > <saml2:SubjectLocality Address=
"144.90.132.128" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</
saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <
saml2:AttributeStatement> <saml2:Attribute FriendlyName="uid" Name=
"urn:oid:0.9.2342.19200300.100.1.1" NameFormat=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >
trename01</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute
FriendlyName="eduPersonPrincipalName" Name=
"urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >
trename01 at pima.edu</saml2:AttributeValue> </saml2:Attribute> <
saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >
rename01</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute
FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >
Testing</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute
FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >
trename01 at pima.edu</saml2:AttributeValue> </saml2:Attribute> </
saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>



If you have any ideas as to what I'm missing please let me know ... I have
also tried to release the "BeyondTrustUsername" attribute directly by
adding this the attribute-filter.xml


<!-- add for BeyondTrust -->

  <afp:AttributeFilterPolicy>

        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://pima.beyondtrustcloud.com" />

        <afp:AttributeRule attributeID="BeyondTrustUsername">

            <afp:PermitValueRule xsi:type="basic:ANY" />

        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>



I hope what I have tried to explain makes sense.  Thanks ahead of time for
your input





Brad Mathis
IT Systems Architect
Infrastructure Services - Applications
Pima Community College
520.206.4826
bmathis at pima.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200408/2a32d69f/attachment.html>

More information about the users mailing list