NameID format issue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

NameID format issue

Guillaume Rousse
Hello list.

I'm trying to debug an "Required NameID format not supported" error with
our IdP (version 2.4.4).

Here the application request:
<ns0:AuthnRequest
   ...
   <ns0:NameIDPolicy
     AllowCreate="false"
     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</ns0:AuthnRequest>

Here is the IdP Response:
<saml2p:Response
   <saml2p:Status>
     <saml2p:StatusCode
       Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
       <saml2p:StatusCode
         Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
       </saml2p:StatusCode>
     <saml2p:StatusMessage>Required NameID format not
supported</saml2p:StatusMessage>
   </saml2p:Status>
</saml2p:Response>

And here is the error in IdP log:
13:39:08.575 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:491]
- No attribute of principal '[hidden email]' can be encoded
in to a NameIdentifier of required format
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' for relying party
'https://inacademia.org/metadata/inacademia-simple-validation.xml'

Our IdP does provide an eduPersonTargetedID attribute, which is supposed
to be used as such a persistent identifier:
a) according to documentation fulfills are requirement to be used as a
persistent identifier:
https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers
b) its definition has a reference to the required format:
<resolver:AttributeDefinition
   xsi:type="ad:SAML2NameID"
   id="eduPersonTargetedID"
   nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
   sourceAttributeID="persistentID">
   <resolver:Dependency ref="storedId" />
   <resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
     name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
   <resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject"
     name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
     friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>

Given it's not filtered out (checkd with aacli.sh), I guess that's an
issue with the set of atttribute encoder used in its definition.

Following IdP 2 documentation
(https://wiki.shibboleth.net/confluence/display/SHIB2/IdPPersistentNameIdentifier),
I tried to add another attribute definition, reusing the same source
attribute as existing eduPersonTargetedID:

<resolver:AttributeDefinition
   id="otherPersistentId"
   xsi:type="ad:Simple"
   sourceAttributeID="storedId">
   <resolver:Dependency ref="storedId"/>
   <resolver:AttributeEncoder
     xsi:type="enc:SAML1StringNameIdentifier"
     nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
   <resolver:AttributeEncoder
     xsi:type="enc:SAML2StringNameID"
     nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</resolver:AttributeDefinition>

And I also explicitely allowed this new 'attribute' in our filtering
policy for the target SP. Howerver, it doesn't change anything to the
actual result.

What am I missing here ?
--
Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45
www.renater.fr


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: NameID format issue

Rod Widdowson
> our IdP (version 2.4.4).
> What am I missing here ?

Somewhat flippantly "3 years of new releases, bug fixes and Security alerts"..

I have completely forgotten anything I knew about that stuff, but in case it helps nothing leaps out immediately..

I know it's not helpful but if I had an IdP of that vintage not getting one particular SP running would be low on my list of worry points.

/Rod

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]