Nameid in clear text
Mathew, Sunil
smathew at hbs.edu
Mon Nov 2 21:02:50 UTC 2020
Hi,
When I sent encrypted nameid to SP, it is creating a new user every time I login with an account because SP tries to match by the nameid. So I need to send the nameid in clear text.
Here is my attribute-filter.xml:
<afp:AttributeFilterPolicy>
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://bootcamp.quickbase.com" />
<afp:AttributeRule attributeID="quickbase_federated_id">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
Here is my attribute-resolver.xml:
<resolver:AttributeDefinition xsi:type="ad:PrincipalName" id="quickbase_federated_id">
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="uid" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="uid" friendlyName="uid" />
</resolver:AttributeDefinition>
Here is my relying-party.xml:
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://bootcamp.quickbase.com">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
<bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="never" />
</list>
</property>
</bean>
Here is the SP metadata:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
cacheDuration="PT604800S"
entityID="https://bootcamp.quickbase.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://bootcamp.quickbase.com/saml/SSOAssert.aspx"
index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
For other SPs, I used to comment out this line in relying-party.xml in order to send nameid in clear text:
<bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="never" />
Now if I do that I am getting the following error:
2020-11-02 16:00:51,838 - WARN [org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver:221] - Validation failure: Failed to resolve both a data and a key encryption credential
2020-11-02 16:00:51,838 - WARN [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:343] - Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters
Can you please let me know how I can send nameid as a clear text?
Thanks for your help.
Regards,
Sunil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201102/73e58aea/attachment.htm>
More information about the users
mailing list