Support for X509SubjectName Name ID

Ullfig, Roberto Alfredo rullfig at uic.edu
Thu May 14 13:56:36 UTC 2020 

We have their metadata in this case anyway. I'm getting an error when accessing the site though:

2020-05-14 08:51:15,082 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:227] - [DD594A7D1F7E553F1CFE487F58DD14C8] - [128.248.2.59] - Attribute sources [mail] did not produce a usable identifier

saml-nameid.xml:
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
            p:attributeSourceIds="#{ {'mail'} }" />

relying-party.xml:
        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://immuware-uic.azurewebsites.net">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO"
                    p:signResponses="false"
                    p:signAssertions="false"
                    p:encryptNameIDs="false"
                    p:encryptAssertions="false"
                    p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" />
                </list>
            </property>
        </bean>

we don't have to define anything in attribute-resolver.xml? I want to use uid instead of mail but trying out different sources and getting this error.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Architecture and Development | ACCC
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Ullfig, Roberto Alfredo <rullfig at uic.edu>
Sent: Thursday, May 14, 2020 8:49 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Support for X509SubjectName Name ID

If you take on their metadata though then you're responsible for it. certificate expirations, security issues, contact information, etc ....

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Architecture and Development | ACCC
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Thursday, May 14, 2020 8:39 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Support for X509SubjectName Name ID

On 5/14/20, 9:26 AM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:

> add bean to saml-nameid.xml
> add nameIDFormatPrecedence to relying-party.xml

I would add it to their metadata; they've proven their metadata is wrong. Trusting incorrect metadata is pretty much the worst thing an IdP can do, so it's a given that their metadata should be locally managed and then you can correct it. This is why I don't allow remote metadata outside of InCommon and some local on-campus feeds.

> Then?...

That's it.

Of course, I wouldn't. I'd tell them to fix their SP unless they can justify the requirement and demonstrate an actual need.

If they want a DN for some good reason, the first problem I have is that I have no such thing to give them, but I would be especially wary of being asked to provide something that isn't a DN and simply mislabeling it. I do not do that under any circumstances. That's a standard violation.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200514/d2a89ab2/attachment.htm>

More information about the users mailing list