SSO to Asana with Shibboleth IdP resolved more or less
IAM David Bantz
dabantz at alaska.edu
Tue Jun 13 00:15:16 UTC 2023
I previously posted on configuring Asana for SAML SSO using Shibb IdP;
Etan E. Weintraub (Johns Hopkins) confirmed it was possible so I plowed
ahead.
This is followup after getting this (sorta) working.
FYI, in addition to providing no actual metadata, no certificate public key:
Additional issues / anomalies with configuring Asana for SAML SSO:
1. Initial instructions asked us to configure for an
https://app.asana.com <https://asana.com/>
however on first attempted connection, the request comes from
https://app.asana.com/ <https://asana.com/>
I changed the entity ID in my cache of SP metadata correspondingy
2. The SAML request generated requests the users’ browser be sent to an
ACS end point not previously documented:
https://app.asana.com/-/saml/consume
I added that to the cached metadata for this SP
3. The request indicates the service wants a nameID-format of email
address
Added a relying party override to release nameID with that format
4. Presuming Asana wants users “email address” to be users' canonical
address = principal name
I added a saml-nameid override to prefer use of ePPN in constructing the
nameID
5. And, finally, I added an attribute release policy to allow release of
ePPN to Asana
Those 5 changes enabled the Identity Provider to recognize the service and
prompt fro authN
and successful sign-in to our instance of Asana. No certificate so alas no
encryption and probably
no checking signature of our assertion.
David St Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230612/ad03f933/attachment.htm>
More information about the users
mailing list