Multiple urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not working correctly

Nadim El-Khoury nel-khoury at springfield.edu
Tue Apr 12 18:09:17 UTC 2022 

Hi Sunil,

I am having the exact same problem.
The nameid is released to the first relying party but not the second one.

Best,

Nadim El-Khoury
Director of Networks, Systems, Infrastructure, and Information Security
Officer
Springfield College
263 Alden Street
Springfield, MA 01109

On Tue, Apr 12, 2022 at 1:35 PM Mathew, Sunil via users <
users at shibboleth.net> wrote:

> To clarify I should specify that name id gets added to the saml response
> for givitas, but does not get added to the SAML response for smartroom. I
> am not sure why that does not happen because the setup is identical.
>
> Sunil
>
>
> On Apr 12, 2022, at 10:01 AM, Mathew, Sunil via users <
> users at shibboleth.net> wrote:
>
> 
>
> Hi,
>
>
>
> I have setup “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” name
> id for multiple vendors using condition.
>
>
>
> attribute-filter.xml:
>
>     <!-- ============================================== -->
>
>     <!--      SmartRoom                                   -->
>
>     <!-- ============================================== -->
>
>     <*AttributeFilterPolicy* *id*="SmartRoom">
>
>         <*PolicyRequirementRule* *xsi*:*type*="Requester" *value*="
> https://identity-qa2.smartexchange.com" />
>
>
>
>         <*AttributeRule* *attributeID*="smartroom_name_id" *permitAny*=
> "true" />
>
>
>
>     </*AttributeFilterPolicy*>
>
>
>
> attribute-resolver.xml:
>
>     <!-- ===================START SmartRoom================== -->
>
>     <*AttributeDefinition* *xsi*:*type*="Simple" *id*="smartroom_name_id">
>
>         <*InputDataConnector* *ref*="zoomProfileDB" *attributeNames*=
> "VALUE" />
>
>         <*AttributeEncoder* *xsi*:*type*="SAML1String" *name*=
> "smartroom_name_id" *encodeType*="false" />
>
>         <*AttributeEncoder* *xsi*:*type*="SAML2String" *name*=
> "smartroom_name_id" *encodeType*="false" />
>
>     </*AttributeDefinition*>
>
>     <!-- ===================END SmartRoom==================== -->
>
>
>
> metadata-providers.xml:
>
>     <!-- ============ SmartRoom Setup ========== -->
>
>     <*MetadataProvider* *id*="smartroomMD"
>
>                       *xsi*:*type*="FilesystemMetadataProvider"
>
>                       *metadataFile*=
> "%{idp.home}/metadata/smartroom-metadata.xml"/>
>
>
>
> relying-party.xml:
>
>         <!-- SmartRoom -->
>
>         <*bean* *parent*="RelyingPartyByName" *c*:*relyingPartyIds*="
> https://identity-qa2.smartexchange.com">
>
>             <*property* *name*="profileConfigurations">
>
>                 <*list*>
>
>                     <*bean* *parent*="SAML2.SSO">
>
>                         <*property* *name*="nameIDFormatPrecedence">
>
>                             <*list*>
>
>                                 <*util*:*constant* *static-field*=
> "org.opensaml.saml.saml2.core.NameIDType.PERSISTENT" />
>
>                             </*list*>
>
>                         </*property*>
>
>                         <*property* *name*="encryptAssertions" *value*=
> "false" />
>
>                         <*property* *name*="encryptNameIDs" *value*=
> "false" />
>
>                     </*bean*>
>
>                 </*list*>
>
>             </*property*>
>
>         </*bean*>
>
>
>
> saml-nameid.xml:
>
>         <!-- Persistent Email address name id -->
>
>         <*bean* *parent*="shibboleth.SAML2AttributeSourcedGenerator"
>
>             *p*:*omitQualifiers*="true"
>
>             *p*:*format*=
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>
>             *p*:*attributeSourceIds*="#{ {'givitas_name_id',
> 'smartroom_name_id'} }"
>
>             *p*:*activationCondition-ref*=
> "PersistentEmailAddressCondition" />
>
>
>
> services.xml:
>
>     <!-- Persistent Email Address name id -->
>
>     <bean id=*"PersistentEmailAddressCondition"* parent=
> *"shibboleth.Conditions.OR"*>
>
>         <constructor-arg>
>
>             <list>
>
>                 <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://givitas.com/sp <https://givitas.com/sp>"* />
>
>                 <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://identity-qa2.smartexchange.com
> <https://identity-qa2.smartexchange.com>"* />
>
>             </list>
>
>         </constructor-arg>
>
>     </bean>
>
>
>
> Givitas works, but Smart Room does not. I have a similar setup for
> “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” name id and they all
> work. How can I resolve the issue?
>
>
>
> Regards,
> Sunil
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220412/e0213190/attachment.htm>

More information about the users mailing list