Shibboleth IDP (V4.2.1) and Neod/Neogov setup
Mak, Steven
makst at upenn.edu
Mon Nov 14 20:38:33 UTC 2022
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent (their sp metadata) is NOT equal to urn:oasis:names:tc:SAML:1.1:nameid-format:persistent (your saml-nameid.xml)
From: users <users-bounces at shibboleth.net> on behalf of Nadim El-Khoury via users <users at shibboleth.net>
Reply-To: Shib Users <users at shibboleth.net>
Date: Monday, November 14, 2022 at 3:36 PM
To: Shib Users <users at shibboleth.net>
Cc: Nadim El-Khoury <nel-khoury at springfield.edu>
Subject: Shibboleth IDP (V4.2.1) and Neod/Neogov setup
Hi Everyone,
We are trying to set up Single Sign-On between us and Neod/Neogov and it is not working.
We dynamically consume their Metadata through InCommon, and they require that the SAML NameID be persistent and in the email address format.
Their metadata is below.
<md:EntityDescriptor entityID="https://login.neoed.com/<https://urldefense.com/v3/__https:/login.neoed.com/__;!!IBzWLUs!S_fGE1Gts4gC_Mk8c6znViv55-734E56cCkBw5RNRfZWgAtpA6Z-svDerlFHANqUW2rm8eYHFHXp_YLR$>" ID="_697e849a-7a17-43e7-8034-fcae23e2767d">
<md:SPSSODescriptor ID="_8153bed2-27cb-4e3a-b2f1-664a2325f71e" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.neoed.com/authentication/saml/consumer<https://urldefense.com/v3/__https:/login.neoed.com/authentication/saml/consumer__;!!IBzWLUs!S_fGE1Gts4gC_Mk8c6znViv55-734E56cCkBw5RNRfZWgAtpA6Z-svDerlFHANqUW2rm8eYHFN2sOuZ_$>" index="0" isDefault="true"/>
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en">Neogov SSO</md:ServiceName>
<md:RequestedAttribute isRequired="true" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="mail"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
We see the following message in the SAML tracer file and the logs.
2022-11-14 15:15:48,830 - 10.2.50.21 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2022-11-14 15:15:48,834 - 10.2.50.21 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy
We did not know whether we needed to uncomment the following line in saml-nameid.xml or create a SAML2AttributeSourceGnerator that I am including below.
<!--
<ref bean="shibboleth.SAML2PersistentGenerator" />
-->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"
p:attributeSourceIds="#{ {'mail'} }"
p:activationCondition-ref="PersistentMailCondition" >
</bean>
Your help or direction is very much appreciated.
Best,
Nadim
--
"Twenty years from now you will be more disappointed by the things that you didn't do than by the ones you did do. So throw off the bowlines. Sail away from the safe harbor. Catch the trade winds in your sails. Explore. Dream. Discover." Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221114/af611a3e/attachment.htm>
More information about the users
mailing list