Fwd: Installing Shibboleth idp3 with hubspot as sp: Getting Saml response status code InvalidNameIDPolicy
Youssef Ait Laydi
youssef.aitlaydi at gmail.com
Fri Jun 4 21:20:36 UTC 2021
Thank you for you feedback.
I commented this line at saml-nameid.properties:
#idp.nameid.saml2.default =urn:oasis:names:tc:SAML:1.1:na
meid-format:emailAddress
I added this configuration on *saml-nameid.xml*:
*<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" /> *
And this configuration on *attribute-resolver.xml*:
*<AttributeDefinition id="mail" xsi:type="PrincipalName">
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:mail" /> <AttributeEncoder
xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="mail" /> </AttributeDefinition>*
And this configuration on *relying-party.xml*
*<util:list id="shibboleth.RelyingPartyOverrides"> <bean
parent="RelyingPartyByName"
c:relyingPartyIds="https://api.hubspot.com/login-api/v1/saml/login?portalId=myPortalId
<https://api.hubspot.com/login-api/v1/saml/login?portalId=myPortalId>">
<property name="profileConfigurations"> <list>
<bean parent="SAML2.SSO"
p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:encryptAssertions="false" /> </list>
</property> </bean> </util:list>*
But I got this error on *idp-process.log:*
INFO
[net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:227]
- Attribute sources [mail] did not produce a usable identifier
WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] -
Profile Action AddNameIDToSubjects: Request specified use of an
unsupportable identifier format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
*I don't know how to get attributeSourceIds?*
I have this data on the *idp-process.log*:
WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:93] - Relay state
exceeds 80 bytes: {"loginEmail":"test_sso at example.com
","loginType":"CONFIRMATION","redirect":"
https://app.hubspot.com/settings-sso-confirm","rememberLogin":false}
INFO [Shibboleth-Audit.SSO:275] -
20210604T211422Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ONELOGIN_40077r94-1755-45be-b4fc-0616948d6555|
https://api.hubspot.com/login-api/v1/saml/login?portalId=myPortalId|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://myhostname.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_261cae8e5a0c0b2341d79f3fea31e399|test_sso@example.com
Thank you in advance
Am Fr., 4. Juni 2021 um 17:00 Uhr schrieb Peter Schober <
peter.schober at univie.ac.at>:
> * Peter Schober <peter.schober at univie.ac.at> [2021-06-04 17:48]:
> > That means your IDP is not configured to produce NameIDs of that format.
>
> This.
>
> > > Note that I didn't change saml-nameid.xml but I
> > > changed saml-nameid.properties:
> > > idp.nameid.saml2.default =
> > > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
> >
> > A *very* bad idea (setting that as default), but also quite obviously
> > it didn't take, otherwise the IDP wouldn't be throwing that error?
>
> I missed that changing the default is no replacement for telling the
> IDP what to put into the NameID. I.e., you'd still need to configure
> saml-nameid.xml appropriately.
>
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Software Engineer
Oracle Certified Professional Java SE 6 Programmer
Tel: 0674-931593
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210604/dd7bf272/attachment.htm>
More information about the users
mailing list