Shibboleth IDP (V4.2.1) and Neod/Neogov setup

Nadim El-Khoury nel-khoury at springfield.edu
Mon Nov 14 20:49:53 UTC 2022 

Hi Steven,

Thank you very much for your response and for pointing out our mistake.
We made the change and we are now releasing the NameID in the proper format.

Best,

Nadim

On Mon, Nov 14, 2022 at 3:38 PM Mak, Steven <makst at upenn.edu> wrote:

> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent (their sp metadata)
> is NOT equal to urn:oasis:names:tc:SAML:1.1:nameid-format:persistent (your
> saml-nameid.xml)
>
>
>
> *From: *users <users-bounces at shibboleth.net> on behalf of Nadim El-Khoury
> via users <users at shibboleth.net>
> *Reply-To: *Shib Users <users at shibboleth.net>
> *Date: *Monday, November 14, 2022 at 3:36 PM
> *To: *Shib Users <users at shibboleth.net>
> *Cc: *Nadim El-Khoury <nel-khoury at springfield.edu>
> *Subject: *Shibboleth IDP (V4.2.1) and Neod/Neogov setup
>
>
>
> Hi Everyone,
>
>
>
> We are trying to set up Single Sign-On between us and Neod/Neogov and it
> is not working.
>
>
>
> We dynamically consume their Metadata through InCommon, and they require
> that the SAML NameID be persistent and in the email address format.
>
>
>
> Their metadata is below.
>
>
>
> <md:EntityDescriptor entityID="https://login.neoed.com/
> <https://urldefense.com/v3/__https:/login.neoed.com/__;!!IBzWLUs!S_fGE1Gts4gC_Mk8c6znViv55-734E56cCkBw5RNRfZWgAtpA6Z-svDerlFHANqUW2rm8eYHFHXp_YLR$>"
> ID="_697e849a-7a17-43e7-8034-fcae23e2767d">
> <md:SPSSODescriptor ID="_8153bed2-27cb-4e3a-b2f1-664a2325f71e"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> <md:NameIDFormat>
> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> </md:NameIDFormat>
> <md:NameIDFormat>
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
> </md:NameIDFormat>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://login.neoed.com/authentication/saml/consumer
> <https://urldefense.com/v3/__https:/login.neoed.com/authentication/saml/consumer__;!!IBzWLUs!S_fGE1Gts4gC_Mk8c6znViv55-734E56cCkBw5RNRfZWgAtpA6Z-svDerlFHANqUW2rm8eYHFN2sOuZ_$>"
> index="0" isDefault="true"/>
> <md:AttributeConsumingService index="1" isDefault="true">
> <md:ServiceName xml:lang="en">Neogov SSO</md:ServiceName>
> <md:RequestedAttribute isRequired="true"
> Name="urn:oid:0.9.2342.19200300.100.1.3"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> FriendlyName="mail"/>
> </md:AttributeConsumingService>
> </md:SPSSODescriptor>
> </md:EntityDescriptor>
>
>
>
> We see the following message in the SAML tracer file and the logs.
>
>
>
> 2022-11-14 15:15:48,830 - 10.2.50.21 - WARN
> [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile
> Action AddNameIDToSubjects: Request specified use of an unsupportable
> identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
>
> 2022-11-14 15:15:48,834 - 10.2.50.21 - WARN
> [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event
> occurred while processing the request: InvalidNameIDPolicy
>
>
>
> We did not know whether we needed to uncomment the following line in
> saml-nameid.xml or create a SAML2AttributeSourceGnerator that I am
> including below.
>
>         <!--
>
>         <ref bean="shibboleth.SAML2PersistentGenerator" />
>
>         -->
>
>
>
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>
>                 p:omitQualifiers="true"
>
>
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"
>
>                 p:attributeSourceIds="#{ {'mail'} }"
>
>                 p:activationCondition-ref="PersistentMailCondition" >
>
>         </bean>
>
>
>
> Your help or direction is very much appreciated.
>
>
>
> Best,
>
>
>
> Nadim
>
>
>
> --
>
> "Twenty years from now you will be more disappointed by the things that
> you didn't do than by the ones you did do. So throw off the bowlines. Sail
> away from the safe harbor. Catch the trade winds in your sails. Explore.
> Dream. Discover." Mark Twain
>


-- 
"Twenty years from now you will be more disappointed by the things that you
didn't do than by the ones you did do. So throw off the bowlines. Sail away
from the safe harbor. Catch the trade winds in your sails. Explore. Dream.
Discover." Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221114/59860870/attachment.htm>

More information about the users mailing list