Nameid in clear text

Mathew, Sunil smathew at hbs.edu
Mon Nov 2 21:02:50 UTC 2020


Hi,

When I sent encrypted nameid to SP, it is creating a new user every time I login with an account because SP tries to match by the nameid. So I need to send the nameid in clear text.

Here is my attribute-filter.xml:

                <afp:AttributeFilterPolicy>

        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://bootcamp.quickbase.com" />



         <afp:AttributeRule attributeID="quickbase_federated_id">

              <afp:PermitValueRule xsi:type="basic:ANY" />

        </afp:AttributeRule>



                </afp:AttributeFilterPolicy>


Here is my attribute-resolver.xml:
    <resolver:AttributeDefinition xsi:type="ad:PrincipalName" id="quickbase_federated_id">
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="uid" friendlyName="uid" />
    </resolver:AttributeDefinition>


Here is my relying-party.xml:
        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://bootcamp.quickbase.com">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="never" />
                </list>
            </property>
        </bean>


Here is the SP metadata:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     cacheDuration="PT604800S"
                     entityID="https://bootcamp.quickbase.com">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://bootcamp.quickbase.com/saml/SSOAssert.aspx"
                                     index="1" />

    </md:SPSSODescriptor>
</md:EntityDescriptor>


For other SPs, I used to comment out this line in relying-party.xml in order to send nameid in clear text:
<bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="never" />


Now if I do that I am getting the following error:
2020-11-02 16:00:51,838 - WARN [org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver:221] - Validation failure: Failed to resolve both a data and a key encryption credential
2020-11-02 16:00:51,838 - WARN [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:343] - Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters

Can you please let me know how I can send nameid as a clear text?

Thanks for your help.


Regards,
Sunil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201102/73e58aea/attachment.htm>


More information about the users mailing list