Multiple urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not working correctly

Tue Apr 12 18:31:21 UTC 2022

 Perhaps

        <constructor-arg>
>
>             <list>
>
>                 <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://givitas.com/sp <https://givitas.com/sp>"* />
>
>                 <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://identity-qa2.smartexchange.com
> <https://identity-qa2.smartexchange.com>"* />
>
>             </list>
>
>         </constructor-arg>
>

should be like
        <constructor-arg>
                <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
c:candidates="{{
'*https://givitas.com/sp <https://givitas.com/sp>'**,*
'*https://identity-qa2.smartexchange.com
<https://identity-qa2.smartexchange.com>'*
}}" />

        </constructor-arg>

?

On 12Apr2022 at 06:00:53, "Mathew, Sunil via users" <users at shibboleth.net>
wrote:

> Hi,
>
>
>
> I have setup “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” name
> id for multiple vendors using condition.
>
>
>
> attribute-filter.xml:
>
>     <!-- ============================================== -->
>
>     <!--      SmartRoom                                   -->
>
>     <!-- ============================================== -->
>
>     <*AttributeFilterPolicy* *id*="SmartRoom">
>
>         <*PolicyRequirementRule* *xsi*:*type*="Requester" *value*="
> https://identity-qa2.smartexchange.com" />
>
>
>
>         <*AttributeRule* *attributeID*="smartroom_name_id" *permitAny*=
> "true" />
>
>
>
>     </*AttributeFilterPolicy*>
>
>
>
> attribute-resolver.xml:
>
>     <!-- ===================START SmartRoom================== -->
>
>     <*AttributeDefinition* *xsi*:*type*="Simple" *id*="smartroom_name_id">
>
>         <*InputDataConnector* *ref*="zoomProfileDB" *attributeNames*=
> "VALUE" />
>
>         <*AttributeEncoder* *xsi*:*type*="SAML1String" *name*=
> "smartroom_name_id" *encodeType*="false" />
>
>         <*AttributeEncoder* *xsi*:*type*="SAML2String" *name*=
> "smartroom_name_id" *encodeType*="false" />
>
>     </*AttributeDefinition*>
>
>     <!-- ===================END SmartRoom==================== -->
>
>
>
> metadata-providers.xml:
>
>     <!-- ============ SmartRoom Setup ========== -->
>
>     <*MetadataProvider* *id*="smartroomMD"
>
>                       *xsi*:*type*="FilesystemMetadataProvider"
>
>                       *metadataFile*=
> "%{idp.home}/metadata/smartroom-metadata.xml"/>
>
>
>
> relying-party.xml:
>
>         <!-- SmartRoom -->
>
>         <*bean* *parent*="RelyingPartyByName" *c*:*relyingPartyIds*="
> https://identity-qa2.smartexchange.com">
>
>             <*property* *name*="profileConfigurations">
>
>                 <*list*>
>
>                     <*bean* *parent*="SAML2.SSO">
>
>                         <*property* *name*="nameIDFormatPrecedence">
>
>                             <*list*>
>
>                                 <*util*:*constant* *static-field*=
> "org.opensaml.saml.saml2.core.NameIDType.PERSISTENT" />
>
>                             </*list*>
>
>                         </*property*>
>
>                         <*property* *name*="encryptAssertions" *value*=
> "false" />
>
>                         <*property* *name*="encryptNameIDs" *value*=
> "false" />
>
>                     </*bean*>
>
>                 </*list*>
>
>             </*property*>
>
>         </*bean*>
>
>
>
> saml-nameid.xml:
>
>         <!-- Persistent Email address name id -->
>
>         <*bean* *parent*="shibboleth.SAML2AttributeSourcedGenerator"
>
>             *p*:*omitQualifiers*="true"
>
>             *p*:*format*=
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>
>             *p*:*attributeSourceIds*="#{ {'givitas_name_id',
> 'smartroom_name_id'} }"
>
>             *p*:*activationCondition-ref*=
> "PersistentEmailAddressCondition" />
>
>
>
> services.xml:
>
>     <!-- Persistent Email Address name id -->
>
>     <bean id=*"PersistentEmailAddressCondition"* parent=
> *"shibboleth.Conditions.OR"*>
>
>         <constructor-arg>
>
>             <list>
>
>                 <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://givitas.com/sp <https://givitas.com/sp>"* />
>
>                 <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://identity-qa2.smartexchange.com
> <https://identity-qa2.smartexchange.com>"* />
>
>             </list>
>
>         </constructor-arg>
>
>     </bean>
>
>
>
> Givitas works, but Smart Room does not. I have a similar setup for
> “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” name id and they all
> work. How can I resolve the issue?
>
>
>
> Regards,
> Sunil
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220412/38b3d2f5/attachment.htm>