Shibboleth IDP (V4.2.1) and Neod/Neogov setup

Peter Schober peter.schober at univie.ac.at
Wed Nov 16 20:17:53 UTC 2022 

* Nadim El-Khoury via users <users at shibboleth.net> [2022-11-14 21:36]:
> We dynamically consume their Metadata through InCommon, and they
> require that the SAML NameID be persistent and in the email address
> format.
[...]
> <md:NameIDFormat>
> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> </md:NameIDFormat>
> <md:NameIDFormat>
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
> </md:NameIDFormat>

FWIW, the above does not mean you have to release a NameID with
format "persistent" but whose values are email addresses -- that's a
contradiction in terms and a violation of the SAML specification.
(Email address values are not valid persistent NameIDs, cf. 8.3.7 in
SAML Core[1].)

Also only one NameID element is allowed in the Assertion and this can
only have one format, so either 'persistent' or 'emailAddress', but
not both.

The only thing the above metadata elements can sensibly mean is that
the SP supports either persistent NameIDs (preferred, because it's
listed first) or those of the emailAddress format.

> they require that the SAML NameID be persistent and in the email
> address format.

Even if they communicated those requirements to you in /other/ forms
than the above SAML 2.0 Metadata elements (e.g. in their documentation
or from their support, sales, etc. people) that does not make such a
requirement (to be both a persistent NameID and have email addresses
as its values) sensible or tolerable.

So I would urge you to undo the configuration you made where you're
releasing your institution's members' email adresses as NameIDs of
format "persistent". That's nonsense, no matter who or how many SPs
ask for that:
Either the SP wants email addresses then use the 'mail' attribute (with
its formal urn:oid: name) or the emailAddress formatted-NameID, if you
must. Or the SP wants an opaque, SP-specific identifier value as per
8.3.7 of the SAML spec.
(N.B.: No commercial SP that actually understands how SAML 2.0 defines
persistent NameIDs will ever ask for those. But if one does, provide
those from the shibboleth.SAML2PersistentGenerator, *not* anything
created by a shibboleth.SAML2AttributeSourcedGenerator.)

HTH,
-peter


[1] https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf

More information about the users mailing list