NameID - aacli and SAML tracer differ
Donald Lohr
lohrda at jmu.edu
Fri Oct 7 13:18:16 UTC 2022
I've got an SP where we have two different instances each with a
different entityID. The attributes being released from the
attribute-filter file are the same, the replying-party config is the
same and the saml-nameid config is the same.
Trying to add a third instance (again different entiryID):
1) In the attribute-filter file we now have the following:
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="entityID#1" />
<Rule xsi:type="Requester" value="entityID#2" />
<Rule xsi:type="Requester" value="entityID#3" />
2) In the relying-party file we now have the following:
<bean parent="RelyingPartyByName"
c:relyingPartyIds="#{{'entityID#1', 'entityID#2','entityID#3'}}">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false"
p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:postAuthenticationFlows="#{{'vendoraccountblock','graduateaccountblock'}}"/>
</list>
</property>
</bean>
3) In the saml-nameid file we now have the following:
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'email'} }" >
<property name="activationCondition">
<bean
parent="shibboleth.Conditions.RelyingPartyId"
c:candidates="#{{'entityID#1', 'entityID#2', 'entityID#3'}}" />
</property>
</bean>
When I run the aacli command for all three entityIDs the following is
returned:
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="urn:mace:incommon:jmu.edu"
SPNameQualifier="entityID#1">lohrda at jmu.edu</saml2:NameID>
</saml2:Subject>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="urn:mace:incommon:jmu.edu"
SPNameQualifier="entityID#2">lohrda at jmu.edu</saml2:NameID>
</saml2:Subject>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="urn:mace:incommon:jmu.edu"
SPNameQualifier="entityID#3">lohrda at jmu.edu</saml2:NameID>
</saml2:Subject>
4) In each locally stored metadata file (provided by the vendor by email
for NameID are the following:
entityID#1:
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
entityID#2:
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
entityID#3:
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
However when I use the Firefox SAML tracer, and attempt a login to
entityID#3, the NameID is a transient value.
Why does aacli report for ALL three emailaddress as NameID, while the
SAML tracer reports emailaddress for entity#1 & 2 but transient for #3?
Thanks,
Don
--
D o n a l d L o h r
I n f o r m a t i o n S y s t e m s
J a m e s M a d i s o n U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221007/1f9d8b34/attachment.htm>
More information about the users
mailing list