Multiple urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not working correctly
Mathew, Sunil
smathew at hbs.edu
Wed Apr 13 14:23:22 UTC 2022
Thanks everyone. Changing it to EMAIL worked:
<util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.EMAIL" />
Sunil
From: users <users-bounces at shibboleth.net> on behalf of Mak, Steven via users <users at shibboleth.net>
Date: Tuesday, April 12, 2022 at 2:35 PM
To: Shib Users <users at shibboleth.net>
Cc: Mak, Steven <makst at upenn.edu>
Subject: Re: Multiple urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not working correctly
Also, don't forget that the SAML request coming in may be overruling your relying party override.
From: users <users-bounces at shibboleth.net> on behalf of IAM David Bantz via users <users at shibboleth.net>
Date: Tuesday, April 12, 2022 at 2:31 PM
To: Shib Users <users at shibboleth.net>
Cc: IAM David Bantz <dabantz at alaska.edu>
Subject: Re: Multiple urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not working correctly
Perhaps
<constructor-arg>
<list>
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://givitas.com/sp<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fgivitas.com%2Fsp__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvIbtcYtLQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vdw7zGm0WkegBu3HsD486WO6FT%2BcAzzJrQhcRnPC1fo%3D&reserved=0>" />
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://identity-qa2.smartexchange.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>" />
</list>
</constructor-arg>
should be like
<constructor-arg>
<bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidates="{{
'https://givitas.com/sp<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fgivitas.com%2Fsp__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvIbtcYtLQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vdw7zGm0WkegBu3HsD486WO6FT%2BcAzzJrQhcRnPC1fo%3D&reserved=0>',
'https://identity-qa2.smartexchange.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>'
}}" />
</constructor-arg>
?
On 12Apr2022 at 06:00:53, "Mathew, Sunil via users" <users at shibboleth.net<mailto:users at shibboleth.net>> wrote:
Hi,
I have setup “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” name id for multiple vendors using condition.
attribute-filter.xml:
<!-- ============================================== -->
<!-- SmartRoom -->
<!-- ============================================== -->
<AttributeFilterPolicy id="SmartRoom">
<PolicyRequirementRule xsi:type="Requester" value="https://identity-qa2.smartexchange.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>" />
<AttributeRule attributeID="smartroom_name_id" permitAny="true" />
</AttributeFilterPolicy>
attribute-resolver.xml:
<!-- ===================START SmartRoom================== -->
<AttributeDefinition xsi:type="Simple" id="smartroom_name_id">
<InputDataConnector ref="zoomProfileDB" attributeNames="VALUE" />
<AttributeEncoder xsi:type="SAML1String" name="smartroom_name_id" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="smartroom_name_id" encodeType="false" />
</AttributeDefinition>
<!-- ===================END SmartRoom==================== -->
metadata-providers.xml:
<!-- ============ SmartRoom Setup ========== -->
<MetadataProvider id="smartroomMD"
xsi:type="FilesystemMetadataProvider"
metadataFile="%{idp.home}/metadata/smartroom-metadata.xml"/>
relying-party.xml:
<!-- SmartRoom -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://identity-qa2.smartexchange.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO">
<property name="nameIDFormatPrecedence">
<list>
<util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.PERSISTENT" />
</list>
</property>
<property name="encryptAssertions" value="false" />
<property name="encryptNameIDs" value="false" />
</bean>
</list>
</property>
</bean>
saml-nameid.xml:
<!-- Persistent Email address name id -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'givitas_name_id', 'smartroom_name_id'} }"
p:activationCondition-ref="PersistentEmailAddressCondition" />
services.xml:
<!-- Persistent Email Address name id -->
<bean id="PersistentEmailAddressCondition" parent="shibboleth.Conditions.OR">
<constructor-arg>
<list>
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://givitas.com/sp<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fgivitas.com%2Fsp__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvIbtcYtLQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vdw7zGm0WkegBu3HsD486WO6FT%2BcAzzJrQhcRnPC1fo%3D&reserved=0>" />
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://identity-qa2.smartexchange.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>" />
</list>
</constructor-arg>
</bean>
Givitas works, but Smart Room does not. I have a similar setup for “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” name id and they all work. How can I resolve the issue?
Regards,
Sunil
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvJVDadvqg%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=yqj73DWselVjX%2BCkco2KoixZ799jW1%2FZo8ws%2BkX7V%2FA%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220413/889317df/attachment.htm>
More information about the users
mailing list