Multiple urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not working correctly
Nadim El-Khoury
nel-khoury at springfield.edu
Wed Apr 13 14:25:36 UTC 2022
Hi Sunil,
Thank you for providing the solution.
Best,
Nadim
On Wed, Apr 13, 2022 at 10:23 AM Mathew, Sunil via users <
users at shibboleth.net> wrote:
> Thanks everyone. Changing it to EMAIL worked:
>
> <*util*:*constant* *static-field*=
> "org.opensaml.saml.saml2.core.NameIDType.EMAIL" />
>
>
>
> Sunil
>
>
>
> *From: *users <users-bounces at shibboleth.net> on behalf of Mak, Steven via
> users <users at shibboleth.net>
> *Date: *Tuesday, April 12, 2022 at 2:35 PM
> *To: *Shib Users <users at shibboleth.net>
> *Cc: *Mak, Steven <makst at upenn.edu>
> *Subject: *Re: Multiple
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not
> working correctly
>
> Also, don't forget that the SAML request coming in may be overruling your
> relying party override.
>
>
>
> *From: *users <users-bounces at shibboleth.net> on behalf of IAM David Bantz
> via users <users at shibboleth.net>
> *Date: *Tuesday, April 12, 2022 at 2:31 PM
> *To: *Shib Users <users at shibboleth.net>
> *Cc: *IAM David Bantz <dabantz at alaska.edu>
> *Subject: *Re: Multiple
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress using condition not
> working correctly
>
> Perhaps
>
>
>
> <constructor-arg>
>
> <list>
>
> <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://givitas.com/sp
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fgivitas.com%2Fsp__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvIbtcYtLQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vdw7zGm0WkegBu3HsD486WO6FT%2BcAzzJrQhcRnPC1fo%3D&reserved=0>"*
> />
>
> <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://identity-qa2.smartexchange.com
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>"*
> />
>
> </list>
>
> </constructor-arg>
>
>
>
> should be like
>
> <constructor-arg>
> <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
>
> c:candidates="{{
>
> '*https://givitas.com/sp
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fgivitas.com%2Fsp__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvIbtcYtLQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vdw7zGm0WkegBu3HsD486WO6FT%2BcAzzJrQhcRnPC1fo%3D&reserved=0>*
> *'**,*
>
> '*https://identity-qa2.smartexchange.com
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>'*
>
> }}" />
>
> </constructor-arg>
>
>
>
> ?
>
>
>
>
>
>
>
> On 12Apr2022 at 06:00:53, "Mathew, Sunil via users" <users at shibboleth.net>
> wrote:
>
> Hi,
>
>
>
> I have setup “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” name
> id for multiple vendors using condition.
>
>
>
> attribute-filter.xml:
>
> <!-- ============================================== -->
>
> <!-- SmartRoom -->
>
> <!-- ============================================== -->
>
> <*AttributeFilterPolicy* *id*="SmartRoom">
>
> <*PolicyRequirementRule* *xsi*:*type*="Requester" *value*="
> https://identity-qa2.smartexchange.com
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>
> " />
>
>
>
> <*AttributeRule* *attributeID*="smartroom_name_id" *permitAny*=
> "true" />
>
>
>
> </*AttributeFilterPolicy*>
>
>
>
> attribute-resolver.xml:
>
> <!-- ===================START SmartRoom================== -->
>
> <*AttributeDefinition* *xsi*:*type*="Simple" *id*="smartroom_name_id">
>
> <*InputDataConnector* *ref*="zoomProfileDB" *attributeNames*=
> "VALUE" />
>
> <*AttributeEncoder* *xsi*:*type*="SAML1String" *name*=
> "smartroom_name_id" *encodeType*="false" />
>
> <*AttributeEncoder* *xsi*:*type*="SAML2String" *name*=
> "smartroom_name_id" *encodeType*="false" />
>
> </*AttributeDefinition*>
>
> <!-- ===================END SmartRoom==================== -->
>
>
>
> metadata-providers.xml:
>
> <!-- ============ SmartRoom Setup ========== -->
>
> <*MetadataProvider* *id*="smartroomMD"
>
> *xsi*:*type*="FilesystemMetadataProvider"
>
> *metadataFile*=
> "%{idp.home}/metadata/smartroom-metadata.xml"/>
>
>
>
> relying-party.xml:
>
> <!-- SmartRoom -->
>
> <*bean* *parent*="RelyingPartyByName" *c*:*relyingPartyIds*="
> https://identity-qa2.smartexchange.com
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>
> ">
>
> <*property* *name*="profileConfigurations">
>
> <*list*>
>
> <*bean* *parent*="SAML2.SSO">
>
> <*property* *name*="nameIDFormatPrecedence">
>
> <*list*>
>
> <*util*:*constant* *static-field*=
> "org.opensaml.saml.saml2.core.NameIDType.PERSISTENT" />
>
> </*list*>
>
> </*property*>
>
> <*property* *name*="encryptAssertions" *value*=
> "false" />
>
> <*property* *name*="encryptNameIDs" *value*=
> "false" />
>
> </*bean*>
>
> </*list*>
>
> </*property*>
>
> </*bean*>
>
>
>
> saml-nameid.xml:
>
> <!-- Persistent Email address name id -->
>
> <*bean* *parent*="shibboleth.SAML2AttributeSourcedGenerator"
>
> *p*:*omitQualifiers*="true"
>
> *p*:*format*=
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>
> *p*:*attributeSourceIds*="#{ {'givitas_name_id',
> 'smartroom_name_id'} }"
>
> *p*:*activationCondition-ref*=
> "PersistentEmailAddressCondition" />
>
>
>
> services.xml:
>
> <!-- Persistent Email Address name id -->
>
> <bean id=*"PersistentEmailAddressCondition"* parent=
> *"shibboleth.Conditions.OR"*>
>
> <constructor-arg>
>
> <list>
>
> <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://givitas.com/sp
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fgivitas.com%2Fsp__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvIbtcYtLQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vdw7zGm0WkegBu3HsD486WO6FT%2BcAzzJrQhcRnPC1fo%3D&reserved=0>"*
> />
>
> <bean parent=*"shibboleth.Conditions.RelyingPartyId"*
> c:candidate=*"https://identity-qa2.smartexchange.com
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fidentity-qa2.smartexchange.com__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvILsmlHaQ%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ugABVe0cEoTP%2BIu1NIc4mb8npKzD1jXxW%2FloPLE1YL0%3D&reserved=0>"*
> />
>
> </list>
>
> </constructor-arg>
>
> </bean>
>
>
>
> Givitas works, but Smart Room does not. I have a similar setup for
> “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” name id and they all
> work. How can I resolve the issue?
>
>
>
> Regards,
> Sunil
>
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw__%3B!!IBzWLUs!Hm63EHebrKa8WY6cDwD8Ujr4-D-8mw-4HWfboeZUSlx2FMgNf5oYAvJVDadvqg%24&data=04%7C01%7Csmathew%40hbs.edu%7Cdfe0f973b3cc46e203d008da1cb32725%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637853853024629544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=yqj73DWselVjX%2BCkco2KoixZ799jW1%2FZo8ws%2BkX7V%2FA%3D&reserved=0>
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220413/f6a32735/attachment.htm>
More information about the users
mailing list