Shibboleth IDP (V4.2.1) and Neod/Neogov setup

Nadim El-Khoury nel-khoury at springfield.edu
Wed Nov 16 23:03:33 UTC 2022 

Hi Peter,

Thank you for the detailed information and explanation.
I will blackout the configuration and test it again.
I will report back.

Best,

Nadim




On Wed, Nov 16, 2022 at 3:18 PM Peter Schober via users <
users at shibboleth.net> wrote:

> * Nadim El-Khoury via users <users at shibboleth.net> [2022-11-14 21:36]:
> > We dynamically consume their Metadata through InCommon, and they
> > require that the SAML NameID be persistent and in the email address
> > format.
> [...]
> > <md:NameIDFormat>
> > urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> > </md:NameIDFormat>
> > <md:NameIDFormat>
> > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
> > </md:NameIDFormat>
>
> FWIW, the above does not mean you have to release a NameID with
> format "persistent" but whose values are email addresses -- that's a
> contradiction in terms and a violation of the SAML specification.
> (Email address values are not valid persistent NameIDs, cf. 8.3.7 in
> SAML Core[1].)
>
> Also only one NameID element is allowed in the Assertion and this can
> only have one format, so either 'persistent' or 'emailAddress', but
> not both.
>
> The only thing the above metadata elements can sensibly mean is that
> the SP supports either persistent NameIDs (preferred, because it's
> listed first) or those of the emailAddress format.
>
> > they require that the SAML NameID be persistent and in the email
> > address format.
>
> Even if they communicated those requirements to you in /other/ forms
> than the above SAML 2.0 Metadata elements (e.g. in their documentation
> or from their support, sales, etc. people) that does not make such a
> requirement (to be both a persistent NameID and have email addresses
> as its values) sensible or tolerable.
>
> So I would urge you to undo the configuration you made where you're
> releasing your institution's members' email adresses as NameIDs of
> format "persistent". That's nonsense, no matter who or how many SPs
> ask for that:
> Either the SP wants email addresses then use the 'mail' attribute (with
> its formal urn:oid: name) or the emailAddress formatted-NameID, if you
> must. Or the SP wants an opaque, SP-specific identifier value as per
> 8.3.7 of the SAML spec.
> (N.B.: No commercial SP that actually understands how SAML 2.0 defines
> persistent NameIDs will ever ask for those. But if one does, provide
> those from the shibboleth.SAML2PersistentGenerator, *not* anything
> created by a shibboleth.SAML2AttributeSourcedGenerator.)
>
> HTH,
> -peter
>
>
> [1]
> https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
"Twenty years from now you will be more disappointed by the things that you
didn't do than by the ones you did do. So throw off the bowlines. Sail away
from the safe harbor. Catch the trade winds in your sails. Explore. Dream.
Discover." Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221116/2b0cff71/attachment.htm>

More information about the users mailing list