Multiple urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not working correctly
Mathew, Sunil
smathew at hbs.edu
Tue Apr 12 17:35:28 UTC 2022
To clarify I should specify that name id gets added to the saml response for givitas, but does not get added to the SAML response for smartroom. I am not sure why that does not happen because the setup is identical.
Sunil
On Apr 12, 2022, at 10:01 AM, Mathew, Sunil via users <users at shibboleth.net> wrote:
Hi,
I have setup “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” name id for multiple vendors using condition.
attribute-filter.xml:
<!-- ============================================== -->
<!-- SmartRoom -->
<!-- ============================================== -->
<AttributeFilterPolicy id="SmartRoom">
<PolicyRequirementRule xsi:type="Requester" value="https://identity-qa2.smartexchange.com" />
<AttributeRule attributeID="smartroom_name_id" permitAny="true" />
</AttributeFilterPolicy>
attribute-resolver.xml:
<!-- ===================START SmartRoom================== -->
<AttributeDefinition xsi:type="Simple" id="smartroom_name_id">
<InputDataConnector ref="zoomProfileDB" attributeNames="VALUE" />
<AttributeEncoder xsi:type="SAML1String" name="smartroom_name_id" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="smartroom_name_id" encodeType="false" />
</AttributeDefinition>
<!-- ===================END SmartRoom==================== -->
metadata-providers.xml:
<!-- ============ SmartRoom Setup ========== -->
<MetadataProvider id="smartroomMD"
xsi:type="FilesystemMetadataProvider"
metadataFile="%{idp.home}/metadata/smartroom-metadata.xml"/>
relying-party.xml:
<!-- SmartRoom -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://identity-qa2.smartexchange.com">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO">
<property name="nameIDFormatPrecedence">
<list>
<util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.PERSISTENT" />
</list>
</property>
<property name="encryptAssertions" value="false" />
<property name="encryptNameIDs" value="false" />
</bean>
</list>
</property>
</bean>
saml-nameid.xml:
<!-- Persistent Email address name id -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'givitas_name_id', 'smartroom_name_id'} }"
p:activationCondition-ref="PersistentEmailAddressCondition" />
services.xml:
<!-- Persistent Email Address name id -->
<bean id="PersistentEmailAddressCondition" parent="shibboleth.Conditions.OR">
<constructor-arg>
<list>
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://givitas.com/sp" />
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://identity-qa2.smartexchange.com" />
</list>
</constructor-arg>
</bean>
Givitas works, but Smart Room does not. I have a similar setup for “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” name id and they all work. How can I resolve the issue?
Regards,
Sunil
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220412/5b8b4dc7/attachment.htm>
More information about the users
mailing list