Configuring shibboleth SP NameID format persistent

Feinstein, Moses moses.feinstein at touro.edu
Tue Jun 16 21:10:20 UTC 2020 

Thank you Scott, it was as you said it. 


For  someone who may have had  the same issue:

Q1. SAML nameID was released as SAML 1.1 instead of 2.0
	
	Simply change  SAML2AttributeSourcedGenerator to the following:

		<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
			  p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
			  p:attributeSourceIds="#{ {'uid'} }">
	

Q2. "how to configure Shibboleth SP  to request  an alternative NamID, in my case: persistent" 

	
On SP inside Shibboleth2.xml

Add the following under "ApplicationDefaults" tag and specify nameid format as necessary.  This will generate the following request to IdP:

		<samlp:NameIDPolicy AllowCreate="1"  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"  />


Change your nameID 

	<ApplicationDefaults>

			<RelyingParty Name="https://idp.example.org:18443/idp/shibboleth" NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>

    

Document reference: https://wiki.shibboleth.net/confluence/display/SP3/RelyingParty




Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu


-----Original Message-----
From: Feinstein, Moses 
Sent: Tuesday, June 16, 2020 2:49 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Configuring shibboleth SP NameID format persistent 

Thank you Scott for taking a time to  respond. 

Based on your response below, possibly  you can clarify for me the following:

We are integrating with an external vendor's SP  who is sending the following  in authentication request:
	        <samlp:AuthnRequest ID="_065731e5-8dd5-4704-b1a1-80e40754be2d"
                                    Version="2.0"
                                    IssueInstant="2020-06-15T15:53:20.193Z"
                                    Destination="https://testidp.touro.edu/idp/profile/SAML2/Redirect/SSO"
                                    ForceAuthn="false"
                                    IsPassive="false"
                                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                    AssertionConsumerServiceURL="https://host.example.org/saml2/login"
                                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                    >
                    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://host.example.org/saml2</saml:Issuer>
                    
                    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />

                </samlp:AuthnRequest>


The vendor  requesting persistent NameID format:
	<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />


Q1.  Does the vendor authentication request looks valid to you? Even though my shibboleth IdP is configured to reply with "persistent" nameid format, because SP implicitly requests for persistent  format, my IdP throws  an error: 
		<saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
		LOGS: 
				2020-06-16 14:44:07,369 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an 					unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
				2020-06-16 14:44:07,369 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy
	
	If I don't specify nameID format as  persistent in the SP authentication request,  then IdP responds properly with the "persistent  nameID"
		<saml2:Subject>
            			<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"
                          			NameQualifier="https://idp.example.org:18443/idp/shibboleth"
                         			 SPNameQualifier="https://host.example.org:11443/shibboleth"
                          			>awong</saml2:NameID>
	

I am trying to replicate the same request with Shibboleth SP, and I can't seem to find any documentation which explains how to configure authentication request which would include nameID policy format as persistent, similar to the example above.

Q2.  can provide any documentation reference which can accomplish this type of request in Shibboleth SP?
	<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />



Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, June 16, 2020 1:57 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Configuring shibboleth SP NameID format persistent 

External Email

On 6/16/20, 1:50 PM, "users on behalf of Feinstein, Moses" <users-bounces at shibboleth.net on behalf of moses.feinstein at touro.edu> wrote:

> Can you provide me some pointers regarding how I can configure 
> Shibboleth SP to  specify the following during authentication request 
> to idp
>
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:persistent</Na
> meIDFormat>

There is no such Format, that's the wrong constant, but specifying formats that do exist or are locally defined is handled with the NameIDFormat content setting or property in various places in the configuration (search the wiki).

-- Scott


--
For Consortium Member technical support, see https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!HoV-yHU!6Ifjsbvf2JasTU05qaQIZb8ZfbsudtXnsYtgNosoZ7-J-_oUdK_OpQpLidDw8XsgShuElA$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list