Multiple urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not working correctly
Mak, Steven
makst at upenn.edu
Tue Apr 12 18:34:52 UTC 2022
Also, don't forget that the SAML request coming in may be overruling your relying party override.
From: users <users-bounces at shibboleth.net> on behalf of IAM David Bantz via users <users at shibboleth.net>
Date: Tuesday, April 12, 2022 at 2:31 PM
To: Shib Users <users at shibboleth.net>
Cc: IAM David Bantz <dabantz at alaska.edu>
Subject: Re: Multiple urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not working correctly
Perhaps
<constructor-arg>
<list>
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://givitas.com/sp<https://urldefense.com/v3/__https:/givitas.com/sp__;!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvIbtcYtLQ$>" />
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://identity-qa2.smartexchange.com<https://urldefense.com/v3/__https:/identity-qa2.smartexchange.com__;!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ$>" />
</list>
</constructor-arg>
should be like
<constructor-arg>
<bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidates="{{
'https://givitas.com/sp<https://urldefense.com/v3/__https:/givitas.com/sp__;!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvIbtcYtLQ$>',
'https://identity-qa2.smartexchange.com<https://urldefense.com/v3/__https:/identity-qa2.smartexchange.com__;!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ$>'
}}" />
</constructor-arg>
?
On 12Apr2022 at 06:00:53, "Mathew, Sunil via users" <users at shibboleth.net<mailto:users at shibboleth.net>> wrote:
Hi,
I have setup “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” name id for multiple vendors using condition.
attribute-filter.xml:
<!-- ============================================== -->
<!-- SmartRoom -->
<!-- ============================================== -->
<AttributeFilterPolicy id="SmartRoom">
<PolicyRequirementRule xsi:type="Requester" value="https://identity-qa2.smartexchange.com<https://urldefense.com/v3/__https:/identity-qa2.smartexchange.com__;!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ$>" />
<AttributeRule attributeID="smartroom_name_id" permitAny="true" />
</AttributeFilterPolicy>
attribute-resolver.xml:
<!-- ===================START SmartRoom================== -->
<AttributeDefinition xsi:type="Simple" id="smartroom_name_id">
<InputDataConnector ref="zoomProfileDB" attributeNames="VALUE" />
<AttributeEncoder xsi:type="SAML1String" name="smartroom_name_id" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="smartroom_name_id" encodeType="false" />
</AttributeDefinition>
<!-- ===================END SmartRoom==================== -->
metadata-providers.xml:
<!-- ============ SmartRoom Setup ========== -->
<MetadataProvider id="smartroomMD"
xsi:type="FilesystemMetadataProvider"
metadataFile="%{idp.home}/metadata/smartroom-metadata.xml"/>
relying-party.xml:
<!-- SmartRoom -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://identity-qa2.smartexchange.com<https://urldefense.com/v3/__https:/identity-qa2.smartexchange.com__;!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ$>">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO">
<property name="nameIDFormatPrecedence">
<list>
<util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.PERSISTENT" />
</list>
</property>
<property name="encryptAssertions" value="false" />
<property name="encryptNameIDs" value="false" />
</bean>
</list>
</property>
</bean>
saml-nameid.xml:
<!-- Persistent Email address name id -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'givitas_name_id', 'smartroom_name_id'} }"
p:activationCondition-ref="PersistentEmailAddressCondition" />
services.xml:
<!-- Persistent Email Address name id -->
<bean id="PersistentEmailAddressCondition" parent="shibboleth.Conditions.OR">
<constructor-arg>
<list>
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://givitas.com/sp<https://urldefense.com/v3/__https:/givitas.com/sp__;!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvIbtcYtLQ$>" />
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://identity-qa2.smartexchange.com<https://urldefense.com/v3/__https:/identity-qa2.smartexchange.com__;!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ$>" />
</list>
</constructor-arg>
</bean>
Givitas works, but Smart Room does not. I have a similar setup for “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” name id and they all work. How can I resolve the issue?
Regards,
Sunil
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw<https://urldefense.com/v3/__https:/shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvJVDadvqg$>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220412/25cea605/attachment.htm>
More information about the users
mailing list