Shibboleth IdP 4.0.1 proxying authentication to Azure AD

Michael Grady mgrady at unicon.net
Fri Dec 11 21:49:02 UTC 2020 

As the subjet states, have a Shib IdP 4.0.1 proxying authentication to Azure AD. The proxying is working, but have been trying to get rid on INFO-level log messages such as:
  
INFO [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:443] - Profile Action ValidateSAMLAuthentication: No transcoding rule for Attribute 'http://schemas.microsoft.com/identity/claims/tenantid'

In the SAML response from Azure AD is this:

<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"> 
<AttributeValue>66cb8cnn-c58b-nnnn-8b3f-lnl372ecf4f0</AttributeValue> 
</Attribute> 

  (value slightly changed to not match up with a real one)

This IdP is still primarily relying on encoding in the attribute-resolver.xml, but we enabled the new registry approach in addition (and know that was working based on getting duplicated attributes in the response as expected), then commenting out most of the provided default registry configs. Then we created a couple of custom attribute transcoding files in conf/attributes/custom (with a.properties suffix) like this:


Example File name: aztenantid.properties

id=http://schemas.microsoft.com/identity/claims/tenantid
transcoder=SAML2StringTranscoder
saml2.name=http://schemas.microsoft.com/identity/claims/tenantid
saml2.friendlyName=Aztenantid

    (does specifying a freindlyName actually "hurt" for inbound, does the above not match even if the saml2.anme does, but no friendlyName is sent?)

and also tried a 2nd oen with the same saml2.name but an ID of just "tenantid". We can see what the custom files are being read in by the IdP if we turn logging to debug, but we are still getting that same INFO "error message":

INFO [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:443] - Profile Action ValidateSAMLAuthentication: No transcoding rule for Attribute 'http://schemas.microsoft.com/identity/claims/tenantid'

Note we have alos done the filter config and resolver config to try and send the above tenantid out in a SAML response from the IdP, and that is not working to send it out -- not surprising given that  INFO message about the IdP sitll not finding an applicable transcoder rule.

So what are we missing? How does that transcoder rule need to be constructed to actually work?

p.s. Once we get this figured out, I'm going to write up a Shib wiki page that uses Azure AD as an example, to provide more detailed documentation on how to get this all working.

--
Michael A. Grady
IAM Architect, Unicon, Inc.

More information about the users mailing list