AW: Problem with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent?

philip.nemeth at pnem.at philip.nemeth at pnem.at
Sat Jan 9 19:43:50 UTC 2021 

Hello Nate,

first of all – thank you very much for your answer!
Our Application use urn:oasis:names:tc:SAML:2.0:nameid-format:persistent and i think you are right, the IDP cant handle it.

I think you are right, the saml-nameid.xml ist not correct oft that.

With IDP2 our Configuration was this:

  <resolver:AttributeEncoder xsi:type="SAML1String"
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
    name="urn:mace:dir:attribute-def:userPrincipalName" />

  <resolver:AttributeEncoder xsi:type="SAML2String"
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
    name="urn:oid:1.2.840.113556.1.4.656"
    friendlyName="userPrincipalName" />

  <!-- for including the persistent NameID in the response -->

  <resolver:AttributeEncoder
    xsi:type="SAML1StringNameIdentifier"
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
    nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

  <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
    nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
But i think, i must „translate“ the code in saml-nameid.xml?

Greetings from Vienna,
Phil


Von: Nate Klingenstein-5 [via Shibboleth] <ml+s1660669n7648280h95 at n2.nabble.com>
Gesendet: Samstag, 9. Jänner 2021 19:03
An: philip.nemeth at pnem.at
Betreff: RE: Problem with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent?

Phil,

Odds are that you haven't configured your IdP to be able to send persistent nameID's:

> 2021-01-09 15:23:47,561 - 10.10.26.0 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

As indicated by your snippet of saml-nameid.xml.

>         <!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
>
>         <!--
>
>                      <ref bean="shibboleth.SAML2PersistentGenerator" />
>
>         -->

As such, the IdP is unable to generate the requested NameID format and meet the policy requirements of the SP with which it's attempting to communicate, causing it to error out.  You'll need to follow the appropriate steps to enable the generation of persistent NameID's.  It's a slightly tricky topic, so be sure to follow the documentation closely.

https://wiki.shibboleth.net/confluence/display/IDP4/PersistentNameIDGenerationConfiguration

If the service actually requires persistent NameID's, then you'll need to go through full configuration and understanding of them.  If it doesn't and it's misusing the standard(which is fairly common in deployment), then you can put a hack in place(ill-advised in most cases), or reconfigure the service's metadata/AuthnRequest to require a different NameID format.

Best wishes,
Nate.

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]</user/SendEmail.jtp?type=node&node=7648280&i=0>

________________________________
If you reply to this email, your message will be added to the discussion below:
https://shibboleth.1660669.n2.nabble.com/WG-Problem-with-urn-oasis-names-tc-SAML-2-0-nameid-format-persistent-tp7648279p7648280.html
To unsubscribe from Shibboleth - Users, click here<https://shibboleth.1660669.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=1660767&code=cC5uZW1AcG5lbS5hdHwxNjYwNzY3fDEyMzU5NDU2OQ==>.
NAML<https://shibboleth.1660669.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210109/bde33a79/attachment.htm>

More information about the users mailing list