Configuring shibboleth SP NameID format persistent
Feinstein, Moses
moses.feinstein at touro.edu
Tue Jun 16 18:49:05 UTC 2020
Thank you Scott for taking a time to respond.
Based on your response below, possibly you can clarify for me the following:
We are integrating with an external vendor's SP who is sending the following in authentication request:
<samlp:AuthnRequest ID="_065731e5-8dd5-4704-b1a1-80e40754be2d"
Version="2.0"
IssueInstant="2020-06-15T15:53:20.193Z"
Destination="https://testidp.touro.edu/idp/profile/SAML2/Redirect/SSO"
ForceAuthn="false"
IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://host.example.org/saml2/login"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://host.example.org/saml2</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />
</samlp:AuthnRequest>
The vendor requesting persistent NameID format:
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />
Q1. Does the vendor authentication request looks valid to you? Even though my shibboleth IdP is configured to reply with "persistent" nameid format, because SP implicitly requests for persistent format, my IdP throws an error:
<saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
LOGS:
2020-06-16 14:44:07,369 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2020-06-16 14:44:07,369 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy
If I don't specify nameID format as persistent in the SP authentication request, then IdP responds properly with the "persistent nameID"
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"
NameQualifier="https://idp.example.org:18443/idp/shibboleth"
SPNameQualifier="https://host.example.org:11443/shibboleth"
>awong</saml2:NameID>
I am trying to replicate the same request with Shibboleth SP, and I can't seem to find any documentation which explains how to configure authentication request which would include nameID policy format as persistent, similar to the example above.
Q2. can provide any documentation reference which can accomplish this type of request in Shibboleth SP?
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />
Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, June 16, 2020 1:57 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Configuring shibboleth SP NameID format persistent
External Email
On 6/16/20, 1:50 PM, "users on behalf of Feinstein, Moses" <users-bounces at shibboleth.net on behalf of moses.feinstein at touro.edu> wrote:
> Can you provide me some pointers regarding how I can configure
> Shibboleth SP to specify the following during authentication request
> to idp
>
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:persistent</Na
> meIDFormat>
There is no such Format, that's the wrong constant, but specifying formats that do exist or are locally defined is handled with the NameIDFormat content setting or property in various places in the configuration (search the wiki).
-- Scott
--
For Consortium Member technical support, see https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!HoV-yHU!6Ifjsbvf2JasTU05qaQIZb8ZfbsudtXnsYtgNosoZ7-J-_oUdK_OpQpLidDw8XsgShuElA$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list