NameID in email address format

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

NameID in email address format

pheinemann
I have a need to construct a nameID using urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress  format but actually based on a kerberos principal. This is to satisfy an SP that wants an emailAddress for the NameID, but need to present one that is immutable since users can change their primary email address.

Putting aside the why for now...my problem is that the desired NameID strips off the domain portion of the value.

I have built a new attribute on which the new nameID is based:

<resolver:AttributeDefinition id="krb-spn"
                xsi:type="Scoped"
                xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                scope="upenn.edu"
                sourceAttributeID="uid">
        <resolver:Dependency ref="incommunity" />
        <resolver:AttributeEncoder name="urn:mace:dir:attribute-def:mail"
                xsi:type="SAML1ScopedString"
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                scopeType="inline" />
        <resolver:AttributeEncoder name="urn:oid:0.9.2342.19200300.100.1.3"
                xsi:type="SAML2ScopedString"
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                scopeType="inline"
                friendlyName="krb-spn" />
</resolver:AttributeDefinition>

and with the proper entry in attribute-filter that attribute is released in the format desired:

            <saml2:Attribute FriendlyName="krb-spn"
                             Name="urn:oid:0.9.2342.19200300.100.1.3"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >phei@upenn.edu</saml2:AttributeValue

However, if I plug that attribute into the nameID block as the source for the desired nameID,

<resolver:AttributeDefinition id="krbNameID"
        xsi:type="Simple"
        xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="krb-spn">
        <resolver:Dependency ref="krb-spn"/>
        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</resolver:AttributeDefinition>

 only the first part (username) is presented:

<saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                          NameQualifier="https://idp.net.isc.upenn.edu/idp/shibboleth"
                          SPNameQualifier="https://shibdev3.net.isc.upenn.edu/shibboleth"
                          >phei</saml2:NameID>

Using an existing email attribute as the source in the NameID definition returns the full address.

<resolver:AttributeDefinition id="krbNameID"
        xsi:type="Simple"
        xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="email">
        <resolver:Dependency ref="email"/>
        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</resolver:AttributeDefinition>



<resolver:AttributeDefinition id="email"
        xsi:type="Simple"
        xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="mail">
        <resolver:Dependency ref="incommunity" />
        <resolver:AttributeEncoder name="urn:mace:dir:attribute-def:mail"
                xsi:type="SAML1String"
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder" />
        <resolver:AttributeEncoder name="urn:oid:0.9.2342.19200300.100.1.3"
                xsi:type="SAML2String"
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                friendlyName="mail" />
</resolver:AttributeDefinition>

will return  the formatted address:

        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                          NameQualifier="https://idp.net.isc.upenn.edu/idp/shibboleth"
                          SPNameQualifier="https://shibdev3.net.isc.upenn.edu/shibboleth"
                          >phei@isc.upenn.edu</saml2:NameID>

Why in the first instance is the domain portion being removed?  Wouldn't the NameID attribute processing simply take whatever is defined by the source attribute?  Or does it process farther down to the original source-of-the-source?

Thanks,

Peter