Shibboleth IDP (V4.2.1) and Neod/Neogov setup

Nadim El-Khoury nel-khoury at springfield.edu
Mon Nov 14 20:35:40 UTC 2022 

Hi Everyone,

We are trying to set up Single Sign-On between us and Neod/Neogov and it is
not working.

We dynamically consume their Metadata through InCommon, and they require
that the SAML NameID be persistent and in the email address format.

Their metadata is below.

<md:EntityDescriptor entityID="https://login.neoed.com/"
ID="_697e849a-7a17-43e7-8034-fcae23e2767d">
<md:SPSSODescriptor ID="_8153bed2-27cb-4e3a-b2f1-664a2325f71e"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://login.neoed.com/authentication/saml/consumer" index="0"
isDefault="true"/>
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en">Neogov SSO</md:ServiceName>
<md:RequestedAttribute isRequired="true"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="mail"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>

We see the following message in the SAML tracer file and the logs.

2022-11-14 15:15:48,830 - 10.2.50.21 - WARN
[org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile
Action AddNameIDToSubjects: Request specified use of an unsupportable
identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

2022-11-14 15:15:48,834 - 10.2.50.21 - WARN
[org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event
occurred while processing the request: InvalidNameIDPolicy

We did not know whether we needed to uncomment the following line in
saml-nameid.xml or create a SAML2AttributeSourceGnerator that I am
including below.

        <!--

        <ref bean="shibboleth.SAML2PersistentGenerator" />

        -->


<bean parent="shibboleth.SAML2AttributeSourcedGenerator"

                p:omitQualifiers="true"


p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"

                p:attributeSourceIds="#{ {'mail'} }"

                p:activationCondition-ref="PersistentMailCondition" >

        </bean>

Your help or direction is very much appreciated.

Best,

Nadim

-- 
"Twenty years from now you will be more disappointed by the things that you
didn't do than by the ones you did do. So throw off the bowlines. Sail away
from the safe harbor. Catch the trade winds in your sails. Explore. Dream.
Discover." Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221114/7a338800/attachment.htm>

More information about the users mailing list