Sending Assertion with custom NameID in subject

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Sending Assertion with custom NameID in subject

rjames512
Hello,

I have been having a lot of trouble integrating gmail with shibboleth. They require the NameID passed to be the user's email attribute, right now the assertion is a cryptic value:

<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                NameQualifier="https://testidp.touro.edu/idp/shibboleth"
                SPNameQualifier="google.com/a/gateway.touro.edu" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">AAdzZWNyZXQyOF4i1Kih0skY5/MWF6CvAC5xw012rp9o/zu7FI+ztntmrnYkwJq+uIcfIV399bNzs+bzYSB1n5tC2Wf6LGMNJelcgAeRLIpmspcRN8A5ACN+gbWAIywBEL0nb/gw/0E7G4Uapng=</saml2:NameID>

Currently I've been reading through different documentations but can't seem to get this value to change. Here are my files I have below:

Saml-nameid.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
                           
       default-init-method="initialize"
       default-destroy-method="destroy">

   
    <util:list id="shibboleth.SAML2NameIDGenerators">
   
        <ref bean="shibboleth.SAML2TransientGenerator" />
       
       
       

     
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'mail'} }" />
     
               
    </util:list>

   
    <util:list id="shibboleth.SAML1NameIdentifierGenerators">

        <ref bean="shibboleth.SAML1TransientGenerator" />

       
               
    </util:list>
   
</beans>

Metadata-providers.xml file I’ve added this line for google:

<MetadataProvider id="google.com" xsi:type="FilesystemMetadataProvider" metadataFile="C:\Production_Runs\shibbolethIDP\metadata\google-metadata.xml" />

Attribute filter for google:

                <AttributeFilterPolicy>
                <PolicyRequirementRule xsi:type="Requester" value="google.com" />
                <AttributeRule attributeID="principal">
                <PermitValueRule xsi:type="ANY" />
                </AttributeRule>
               
                </AttributeFilterPolicy>

Attribute resolver:

                <resolver:AttributeDefinition id="principal" xsi:type="ad:Simple" sourceAttributeID="mail">
                <resolver:Dependency ref="myLDAP" />
                <resolver:AttributeEncoder xsi:type="enc:SAML2String"
                xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                name="urn:oasis:saml:tc:SAML:1.1:nameid-format:unspecified"
                nameFormat="urn:oasis:saml:tc:SAML:1.1:nameid-format:unspecified"
                />
                </resolver:AttributeDefinition>

Relying-party.xml
<bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
    <property name="profileConfigurations">
        <list>
            <bean parent="SAML2.SSO" p:encryptAssertions="false"
                p:encryptNameIDs="false"/>
        </list>
    </property>
</bean>

Google-metadata.xml:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="google.com" entityID="https://accounts.google.com/o/saml2?idpid=C01e4xzvb">

  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
  </md:Extensions>

  <md:SPSSODescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" >
                <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</md:NameIDFormat>
 
  </md:SPSSODescriptor>
    <md:Extensions>
      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="
https://accounts.google.com/o/saml2/idp?idpid=C01e4xzvb"/>
    </md:Extensions>

    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=C01e4xzvb"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C01e4xzvb"/>
</md:EntityDescriptor>


Thank you for your time and help,

Loading...