NameID Definition and Usage in Shib IDP 4

prasanna cg prasannacgin at yahoo.in
Thu Jan 7 22:52:50 UTC 2021 

Hello,

I recently upgraded from Shibboleth IDP v3.3.1 to IdP V4.0.1. As part of that upgrade, I had to change the NameID definition (globally) and the way it is mapped to the relying parties as the attribute encoder “SAML2StringNameID” is no longer supported in v4. 

For “unspecified” NameID to be mapped to employeeNumber, I am doing the following


My definition in “saml-nameid.xml”

    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
          p:omitQualifiers="true"
          p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
          p:attributeSourceIds="#{ {'employeeNumber'} }" />

My definition in “attribute-resolver.xml”
  
    <AttributeDefinition xsi:type="Simple" id="employeeNumber">
        <InputDataConnector ref="ActiveDirectory" attributeNames="employeeNumber"/>
        <AttributeEncoder xsi:type="SAML2String" encodeType="false" name="employeeNumber"/>
    </AttributeDefinition>

My RP specific config in “relying-party.xml”

     <bean parent="RelyingPartyByName" c:relyingPartyIds="https://def.example.com">
          <property name="profileConfigurations">
              <list>
                  <bean parent="SAML2.SSO" p:securityConfiguration-ref=“def-SecurityConfig" p:signAssertions="true"
                        p:signResponses="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                        p:encryptAssertions="false" p:encryptNameIDs="false"/>
              </list>
          </property>
     </bean>
 
My RP specific “attribute-filter.xml” configuration

  <!-- Release to DEF -->
  <AttributeFilterPolicy id="releasetoDEF">
    <PolicyRequirementRule xsi:type="Requester" value="https://def.example.com"/>
    <AttributeRule attributeID="firstname" permitAny="true"/>
    <AttributeRule attributeID="lastname" permitAny="true"/>
    <AttributeRule attributeID="employeeNumber" permitAny="true"/>
  </AttributeFilterPolicy>


Issue: With above configuration, “employeeNumber” is sent in both SAML Subject as well as in the SAML Attribute Statement. 

Question: Am I doing this correct, If yes, Is there a way to configure an attribute mapped for NameID purpose be NOT sent in SAML Attribute statement as well ? If I am missing something, please help ! 

Thanks,
Prasanna


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210107/8fe5058b/attachment.htm>

More information about the users mailing list