urn:mace:shibboleth:1.0:nameIdentifier in 4.0.1 / SAML 2 ?

Louis Chanouha chanouha at insa-toulouse.fr
Thu Jan 7 17:35:42 UTC 2021 

Hello,
I'm experiencing issues with Shibboleth 4. It doesn't accept 
"/urn:mace:shibboleth:1.0:nameIdentifier/" namePolicy.
Did someone successfully made a urn:mace:shibboleth:1.0:nameIdentifier 
return a transient id ?

I don't known, as SAML1NameIdentifier and SAML2NameID doesn't exist 
anymore on AttributeDefinition/xsi:type on 4.x, how to to provide both 
urn:mace:shibboleth:1.0:nameIdentifier and 
urn:oasis:names:tc:SAML:2.0:nameid-format:transient on SAMLv2 as we have 
several services requesting this old value.

Some advices would be very very appreciated as i spend the whole day 
exploring all Shibb 4 doc not findind any tiny path.

See below my current conf.
I use internet2's Shibboleth 4.0.1 (https://hub.docker.com/r/tier/shib-idp)

Everything else is working very well.

Sorry for my english,
Thanks,
Louis

_Request from SP_

shib-idp;idp-process.log;dev;nothing;<?xml version="1.0" 
encoding="UTF-8"?><samlp:AuthnRequest 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
AssertionConsumerServiceURL="xxxxx" 
Destination="https://yyyyy.fr/idp/profile/SAML2/Redirect/SSO" 
ID="ONELOGIN_3df62681-dffc-41e5-8522-251dd0165329" 
IssueInstant="2021-01-07T16:48:13Z" 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
ProviderName="yyyy" Version="2.0" 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
shib-idp;idp-process.log;dev;nothing; 
<saml:Issuer>https://xxxx</saml:Issuer>
shib-idp;idp-process.log;dev;nothing;    <samlp:NameIDPolicy 
AllowCreate="true" Format="urn:mace:shibboleth:1.0:nameIdentifier"/>
shib-idp;idp-process.log;dev;nothing; <samlp:RequestedAuthnContext 
Comparison="exact">
shib-idp;idp-process.log;dev;nothing; 
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
shib-idp;idp-process.log;dev;nothing; 
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
shib-idp;idp-process.log;dev;nothing; </samlp:RequestedAuthnContext>
shib-idp;idp-process.log;dev;nothing;</samlp:AuthnRequest>

_Problem starts here:_

shib-idp;idp-process.log;dev;nothing;2021-01-07 17:19:03,128 - 
172.17.0.1 - DEBUG 
[net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:111] 
- Profile Action AddAttributeStatementToAssertion: Adding constructed 
AttributeStatement to Assertion _4a13c09af3bd47eac716494229bf5b8b
shib-idp;idp-process.log;dev;nothing;2021-01-07 17:19:03,150 - 
172.17.0.1 - WARN 
[org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile 
Action AddNameIDToSubjects: Request specified use of an unsupportable 
identifier format: urn:mace:shibboleth:1.0:nameIdentifier
*shib-idp;idp-warn.log;dev;nothing;2021-01-07 17:19:03,150 - 172.17.0.1 
- WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - 
Profile Action AddNameIDToSubjects: Request specified use of an 
unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier**
*
_And the IDP return an login error_

shib-idp;idp-process.log;dev;nothing;        <saml2p:StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
shib-idp;idp-process.log;dev;nothing; <saml2p:StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
shib-idp;idp-process.log;dev;nothing; </saml2p:StatusCode>
shib-idp;idp-process.log;dev;nothing; <saml2p:StatusMessage>An error 
occurred.</saml2p:StatusMessage>
shib-idp;idp-process.log;dev;nothing;    </saml2p:Status>

_I have the following conf:_

[saml-nameid.xml]
     <!-- SAML 2 NameID Generation -->
     <util:list id="shibboleth.SAML2NameIDGenerators">

         <ref bean="shibboleth.SAML2TransientGenerator" />

         <!-- Uncommenting this bean requires configuration in 
saml-nameid.properties. -->
         <ref bean="shibboleth.SAML2PersistentGenerator" />

         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
             p:attributeSourceIds="#{ {'mail'} }" />

         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
             p:format="urn:mace:shibboleth:1.0:nameIdentifier"
             p:attributeSourceIds="#{ {'mail'} }" />

     </util:list>

     <!-- SAML 1 NameIdentifier Generation -->
     <util:list id="shibboleth.SAML1NameIdentifierGenerators">

         <ref bean="shibboleth.SAML1TransientGenerator" />

         <!--
         <bean parent="shibboleth.SAML1AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
             p:attributeSourceIds="#{ {'mail'} }" />
         -->

     </util:list>

[saml-nameid.conf]
idp.transientId.generator = shibboleth.CryptoTransientIdGenerator

tried:
idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
idp.nameid.saml2.default = urn:mace:shibboleth:1.0:nameIdentifier

without success

I tried to send invalid data, conf file works well, nameid generators 
looks loaded

         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
             p:format="urn:mace:shibboleth:1.0:nameIdentifier"
             p:attributeSourceIds="#{ {'mail'} }" />

shib-idp;idp-process.log;dev;nothing;2021-01-07 17:20:54,541 - 
172.17.0.1 - DEBUG 
[net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:191] 
- Checking for source attribute mail
shib-idp;idp-process.log;dev;nothing;2021-01-07 17:20:54,542 - 
172.17.0.1 - INFO 
[net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:221] 
- Attribute sources [mail] did not produce a usable identifier
shib-idp;idp-process.log;dev;nothing;2021-01-07 17:20:54,542 - 
172.17.0.1 - WARN 
[org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile 
Action AddNameIDToSubjects: Request specified use of an unsupportable 
identifier format: urn:mace:shibboleth:1.0:nameIdentifier
shib-idp;idp-warn.log;dev;nothing;2021-01-07 17:20:54,542 - 172.17.0.1 - 
WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - 
Profile Action AddNameIDToSubjects: Request specified use of an 
unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier
shib-idp;idp-process.log;dev;nothing;2021

i think I have all the mandatory declaration:

./metadata/idp-metadata.xml: 
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
./metadata/idp-metadata.xml: 
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
./dist/conf/saml-nameid.properties:#idp.nameid.saml1.default = 
urn:mace:shibboleth:1.0:nameIdentifier
./dist/conf/audit.xml:        <entry 
key="urn:mace:shibboleth:1.0:nameIdentifier" value="transient" />
./system/flows/saml/saml-abstract-beans.xml: 
<value>urn:mace:shibboleth:1.0:nameIdentifier</value>
./system/flows/saml/saml1/sso-abstract-beans.xml: 
p:defaultFormat="%{idp.nameid.saml1.default:urn:mace:shibboleth:1.0:nameIdentifier}" 
/>
./system/flows/admin/resolvertest-beans.xml: 
p:defaultFormat="%{idp.nameid.saml1.default:urn:mace:shibboleth:1.0:nameIdentifier}">
./system/conf/subject-c14n-system.xml:        p:formats="#{ 
{'urn:mace:shibboleth:1.0:nameIdentifier'} }" />
./system/conf/subject-c14n-system.xml:        p:formats="#{ 
{'urn:mace:shibboleth:1.0:nameIdentifier'} }" />
./conf/saml-nameid.xml: p:format="urn:mace:shibboleth:1.0:nameIdentifier"
./conf/saml-nameid.properties:idp.nameid.saml1.default = 
urn:mace:shibboleth:1.0:nameIdentifier
./conf/saml-nameid.properties:idp.nameid.saml2.default = 
urn:mace:shibboleth:1.0:nameIdentifier
./conf/audit.xml:        <entry 
key="urn:mace:shibboleth:1.0:nameIdentifier" value="transient" />

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210107/db9fff2f/attachment.htm>

More information about the users mailing list