SAML nameid generation defaults to transient

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML nameid generation defaults to transient

Lipscomb, Gary
Hi all,

I'm trying to generate a nameid which contains an internal identifier. The idp-process.log [1] displays the error  " Configuration specifies the following formats: []"  but I thought I have specified the format in the saml-nameid.xml [4] file below. It defaults to creating a transient nameid [5].

When I add the nameid format [4] into the metadata file it works as expected [6].

Am I missing something or have a wrong configuration?

IdP v3.3.2

Regards

Gary

[1] idp-process.log

2018-05-15 08:19:57,921 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:116] - Using overridden profile configuration ID: http://shibboleth.net/ns/profiles/saml2/sso/browser
2018-05-15 08:19:57,922 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:124] - Configuration specifies the following formats: []
2018-05-15 08:19:57,923 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:134] - No formats specified in configuration or in metadata, returning default
2018-05-15 08:19:57,929 - INFO [Shibboleth-Audit.ResolverTest:275] - 20180514T221957Z|||https://adminuat.dc2.pp.com/|http://shibboleth.net/ns/profiles/resolvertest|https://idpqa.csu.edu.au/idp/shibboleth|||dummy_username||XXXXAsNameID|AAdzZWNyZXQx3f712KtOipy5BJW6lc/522I7HY8kq4zY8pmQKD5AELIhT4YrqOwsGE9tVXUX0IKuquzdkwl5R2Q7F8U0/E/HrweQHsi8IYdfshF/MyNUOauvtPnZtN8Or4hRFJasS940mnBRcuTZsWRSjQIM|_6729e0e1513b87570bc7c2e6ebd70fb4|



[2] attribute-filter.xml

  <AttributeFilterPolicy id="release_to_pp">
    <PolicyRequirementRule xsi:type="OR">
      <Rule xsi:type="Requester" value="https://adminuat.dc2.pp.com/" />
      <Rule xsi:type="Requester" value="https://admin.dc2.pp.com/" />
        </PolicyRequirementRule>
    <AttributeRule attributeID="XXXXAsNameID">
       <PermitValueRule xsi:type="ANY"/>
    </AttributeRule>
  </AttributeFilterPolicy>


[3] attribute-resolver.xml

   <AttributeDefinition xsi:type="Simple"
       id="XXXXAsNameID"
       sourceAttributeID="internal-CSU">
     <Dependency ref="internal-CSU" />
   </AttributeDefinition>


[4] saml-nameid.xml

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

       default-init-method="initialize"
       default-destroy-method="destroy">

    <util:list id="shibboleth.SAML2NameIDGenerators">

        <ref bean="shibboleth.SAML2TransientGenerator" />

<snip> .............

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
                  p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                  p:attributeSourceIds="#{ {'XXXXAsNameID'} }">
            <property name="activationCondition">
                <bean parent="shibboleth.Conditions.RelyingPartyId"
                  c:candidates="#{ {'https://adminuat.dc2.pp.com/', 'https://admin.dc2.pp.com/'} }" />
            </property>
        </bean>

    </util:list>

</beans>


[4]  pp-metadata.xml

    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>


[5] transient nameid

# /opt/shibboleth-idp/bin/aacli.sh -n dummy-user -r https://adminuatt.dc2.pp.com/ --saml2
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_94c260a5a6277513067971337ce0c9c0"
    IssueInstant="2018-05-15T03:19:49.862Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Subject>
        <saml2:NameID
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
            NameQualifier="https://idpqa.csu.edu.au/idp/shibboleth" SPNameQualifier="https://adminuatt.dc2.pp.com/">AAdzZWNyZXQxMCljWtD6miqFA35ogLD1L0XfJgGUXHIFQdrEcCnZNZGTAU5lcqD+j2er929O7bYbkQnlh5EeJWk7TJtpu2VLq3R5vg8EVlrGqDvdg1r+cG9I0C0PDzm1V84vtscQu0bpIyTtyjpGo0TtqgjHSQ==</saml2:NameID>
    </saml2:Subject>
</saml2:Assertion>

[6] persistent nameid

# /opt/shibboleth-idp/bin/aacli.sh -n dummy-user -r https://adminuat.dc2.pp.com/ --saml2
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_aaf927a447893faf9890669723f0f082"
    IssueInstant="2018-05-15T03:19:40.106Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Subject>
        <saml2:NameID
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
            NameQualifier="https://idpqa.csu.edu.au/idp/shibboleth" SPNameQualifier="https://adminuat.dc2.pp.com/">1234567</saml2:NameID>
    </saml2:Subject>
</saml2:Assertion>


|   ALBURY-WODONGA   |   BATHURST   |   CANBERRA   |   DUBBO   |   GOULBURN   |   MELBOURNE   |   ORANGE   |   PORT MACQUARIE   |   SYDNEY   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SAML nameid generation defaults to transient

Peter Schober
* Lipscomb, Gary <[hidden email]> [2018-05-15 05:33]:
> I have specified the format in the saml-nameid.xml [4] file
> below. It defaults to creating a transient nameid [5].

That's to be expected and documented. Metadata or an authnrequest or
your relying party config will influence the NameID selection
process. Simply having it defined (and also releasing an attribute it
may be based on) is not sufficient.

> [3] attribute-resolver.xml
>
>    <AttributeDefinition xsi:type="Simple"
>        id="XXXXAsNameID"
>        sourceAttributeID="internal-CSU">
>      <Dependency ref="internal-CSU" />
>    </AttributeDefinition>
>
> [4] saml-nameid.xml
[...]
>         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>                   p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
>                   p:attributeSourceIds="#{ {'XXXXAsNameID'} }">
>             <property name="activationCondition">
>                 <bean parent="shibboleth.Conditions.RelyingPartyId"
>                   c:candidates="#{ {'https://adminuat.dc2.pp.com/', 'https://admin.dc2.pp.com/'} }" />
>             </property>
>         </bean>

Note that the above is not a legal persistent NameID (cf. SAML Core).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SAML nameid generation defaults to transient

Lipscomb, Gary
In reply to this post by Lipscomb, Gary
Peter,

>Note that the above is not a legal persistent NameID (cf. SAML Core).
Understand that but thats what the vendor wants. Tried to convince them to accept it as an attribute but they said no. The software was already decided on before IT was involved and they could do SAML SSO.

Thanks for clearing up the mis-understanding of saml-nameid release.

regards
Gary
________________________________________
From: users <[hidden email]> on behalf of Peter Schober <[hidden email]>
Sent: Tuesday, 15 May 2018 8:55 PM
To: [hidden email]
Subject: Re: SAML nameid generation defaults to transient

* Lipscomb, Gary <[hidden email]> [2018-05-15 05:33]:
> I have specified the format in the saml-nameid.xml [4] file
> below. It defaults to creating a transient nameid [5].

That's to be expected and documented. Metadata or an authnrequest or
your relying party config will influence the NameID selection
process. Simply having it defined (and also releasing an attribute it
may be based on) is not sufficient.

> [3] attribute-resolver.xml
>
>    <AttributeDefinition xsi:type="Simple"
>        id="XXXXAsNameID"
>        sourceAttributeID="internal-CSU">
>      <Dependency ref="internal-CSU" />
>    </AttributeDefinition>
>
> [4] saml-nameid.xml
[...]
>         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>                   p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
>                   p:attributeSourceIds="#{ {'XXXXAsNameID'} }">
>             <property name="activationCondition">
>                 <bean parent="shibboleth.Conditions.RelyingPartyId"
>                   c:candidates="#{ {'https://adminuat.dc2.pp.com/', 'https://admin.dc2.pp.com/'} }" />
>             </property>
>         </bean>

Note that the above is not a legal persistent NameID (cf. SAML Core).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]