custom nameid formats and metadata-driven config

Les LaCroix llacroix at carleton.edu
Thu Aug 4 06:08:52 UTC 2022 

I am defining a custom name format.  Things work when there is an override
in relying-parties.xml, but I've been unable to get it to work with a
metadata-driven configuration.  I'm hoping someone can spot the blunder in
my config.

I have a new SP that wants a saml2:Subject NameID sourced from "uid".
Referring to

https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631672/CustomNameIDGenerationConfiguration

, I created a custom generator in saml-nameid.xml with a format using the
URI name of uid:

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
                  p:format="urn:oid:0.9.2342.19200300.100.1.1"
                  p:attributeSourceIds="#{ {'uid'} }" />

aacli verifies that I am releasing uid to the SP.  The following override
in relying-parties.xml produces the aacli.sh output that includes a
saml2:Subject like I expect:

        <bean parent="RelyingPartyByName"
                    c:relyingPartyIds="#{{'http://sp.example.org/'}}">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO.MDDriven"

p:nameIDFormatPrecedence="#{{'urn:oid:0.9.2342.19200300.100.1.1'}}" />
                </list>
            </property>
        </bean>

When I comment that out and put the following in the SP's metadata file,
the aacli output no longer includes a saml2:Subject:

   <md:Extensions>
      <mdattr:EntityAttributes>
         <saml:Attribute Name="
http://shibboleth.net/ns/profiles/nameIDFormatPrecedence"
               NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

<saml:AttributeValue>urn:oid:0.9.2342.19200300.100.1.1</saml:AttributeValue>
         </saml:Attribute>
      </mdattr:EntityAttributes>
   </md:Extensions>

idp-process.log reports that it's loading the metadata file without
errors.  aacli shows that uid is still being released.  What am I messing
up?

Thanks, -Les

ps I am running IdP 4.1.6.


<http://www.carleton.edu/>

*Les LaCroix '79*

Strategic Technologist

Information Technology Services

t: (507) 222-5455
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220804/44e032c6/attachment.htm>

More information about the users mailing list