Azure AD Connector from IDP v4.1 - canonicalization failure

Ullfig, Roberto Alfredo rullfig at uic.edu
Wed Aug 31 14:34:01 UTC 2022 

So I set those properties:

idp.c14n.attribute.attributeSourceIds = azureName
idp.c14n.attribute.resolveFromSubject = true
idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.FALSE

Created attribute id in registry:

opt/shibboleth-idp/conf/attributes/custom/azureName.properties:

id = azureName
transcoder = SAML2StringTranscoder
saml2.name = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
saml2.nameFormat = urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

attribute-sourced-subject-c14n-config.xml:

    <util:list id="shibboleth.c14n.attribute.AttributesToResolve">
        <value>azureName</value>
    </util:list>
    <util:list id="shibboleth.c14n.attribute.AttributeSourceIds">
        <value>azureName</value>
    </util:list>

subject-c14n.xml:

<bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" />

2022-08-31 09:20:07,117 - INFO [Shibboleth-Audit.SSO:283] - [E4849E9BA61354861C90ABC86E2AEBF8] - [128.248.2.59] - 2022-08-31T14:20:07.117452Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_32524f8f6facdadbf9a62e21e07186c8|https://sts.windows.net/e202cd47-7a56-4baa-99e3-e3b71a7c77dd/|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://shibboleth.uic.edu/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_aa03a8db-7e80-4226-948e-d62c0991e1b7||urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|azureName|rullfig@uic.edu|_319ea856-c905-46b4-8402-d72fdc4b2600|
2022-08-31 09:20:07,118 - DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] - [E4849E9BA61354861C90ABC86E2AEBF8] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: Checking canonicalization flow c14n/attribute for applicability...
2022-08-31 09:20:07,118 - DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:83] - [E4849E9BA61354861C90ABC86E2AEBF8] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: Selecting canonicalization flow c14n/attribute
2022-08-31 09:20:07,120 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:247] - [E4849E9BA61354861C90ABC86E2AEBF8] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Initiating attribute resolution with label: c14n/attribute
2022-08-31 09:20:07,120 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:276] - [E4849E9BA61354861C90ABC86E2AEBF8] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Attempting to resolve the following attribute definitions [azureName]
2022-08-31 09:20:07,120 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:348] - [E4849E9BA61354861C90ABC86E2AEBF8] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': No attribute definition was registered with ID 'azureName', nothing to do
2022-08-31 09:20:07,120 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:282] - [E4849E9BA61354861C90ABC86E2AEBF8] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Finalizing resolved attributes
2022-08-31 09:20:07,120 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:285] - [E4849E9BA61354861C90ABC86E2AEBF8] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Final resolved attribute collection: []
2022-08-31 09:20:07,121 - WARN [net.shibboleth.idp.authn.impl.AttributeSourcedSubjectCanonicalization:183] - [E4849E9BA61354861C90ABC86E2AEBF8] - [128.248.2.59] - Profile Action AttributeSourcedSubjectCanonicalization: No attributes found, canonicalization not possible

"No attribute definition was registered with ID 'azureName'"  - where did I go wrong?

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: Cantor, Scott <cantor.2 at osu.edu>
Sent: Tuesday, August 30, 2022 4:04 PM
To: Wessel, Keith W (UIUC) <kwessel at illinois.edu>; Shib Users <users at shibboleth.net>
Cc: Ullfig, Roberto Alfredo <rullfig at uic.edu>
Subject: Re: Azure AD Connector from IDP v4.1 - canonicalization failure

On 8/30/22, 4:51 PM, "Wessel, Keith" <kwessel at illinois.edu> wrote:

>    That’s not literally referring to the subject of the assertion.

Took me a second to find that text but I clarified it. Java Subject, not SAML Subject, obvious source of confusion in this context.

4.0 -> run the resolver, do extra stuff there to copy an IdPAttribute from the Subject using some very confusing settings because authentication isn't actually done yet

4.1+ -> look directly at Subject produced by SAML login flow and find an IdPAttributePrincipal inside it

Much simpler. Both are "attribute sourced", just no longer both "resolver sourced".

-- Scott


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220831/3514c898/attachment.htm>

More information about the users mailing list