Sending custom transient nameid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Sending custom transient nameid

Ryan Suarez-2
Greetings,

There is some SP that requires a urn:oasis:names:tc:SAML:2.0:nameid-format:transient nameid with the value of the subject's email address. Yes, I know this is wrong. I just need to evaluate all my options.

1. They have included <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> in the SP request. Is it possible to send instead a urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress nameid in the IdP assertion? This link leads me to believe the answer is no (though I want to confirm):
"If a <NameIDPolicy> element with Format is supplied, a suitable identifier MUST be generated or an error will be returned."

2. Is it possible to send a subjects email address as a transient nameid just for the given SP? What work is involved?

regards,
Ryan

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Sending custom transient nameid

Boyd, Todd M.
The "dealing with conflicting requirements" section of this page might prove useful:


https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration


Though I'm not sure if it will accept the transient URN as a valid format to override. Worth a shot, anyhow.



-Todd

________________________________
From: users <[hidden email]> on behalf of Ryan Suarez <[hidden email]>
Sent: Thursday, May 3, 2018 2:07:04 PM
To: [hidden email]
Subject: Sending custom transient nameid

Greetings,

There is some SP that requires a urn:oasis:names:tc:SAML:2.0:nameid-format:transient nameid with the value of the subject's email address. Yes, I know this is wrong. I just need to evaluate all my options.

1. They have included <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> in the SP request. Is it possible to send instead a urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress nameid in the IdP assertion? This link leads me to believe the answer is no (though I want to confirm):
"If a <NameIDPolicy> element with Format is supplied, a suitable identifier MUST be generated or an error will be returned."
https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration

2. Is it possible to send a subjects email address as a transient nameid just for the given SP? What work is involved?

regards,
Ryan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Sending custom transient nameid

Cantor, Scott E.
> Though I'm not sure if it will accept the transient URN as a valid format to
> override. Worth a shot, anyhow.

The system doesn't know anything about any of them, they're all handled the same. It's merely a question of what's built in and what's not. "Custom" just means "not built in". It walks the list and whatever happens to generate a viable result is used, in whatever order it finds them, whether it's a ref to a built-in bean or a bean that's supplied by a user.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Sending custom transient nameid

Ryan Suarez-2
In reply to this post by Boyd, Todd M.
Hi Todd,

Yes, I tried that and it didn't work.  It still sends the proper
transient nameid.

thanks,
Ryan

On Thu, 2018-05-03 at 19:34 +0000, Boyd, Todd M. wrote:

> The "dealing with conflicting requirements" section of this page
> might prove useful:
>
>
> https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGene
> rationConfiguration
>
>
> Though I'm not sure if it will accept the transient URN as a valid
> format to override. Worth a shot, anyhow.
>
>
>
> -Todd
>
> ________________________________
> From: users <[hidden email]> on behalf of Ryan Suarez <
> [hidden email]>
> Sent: Thursday, May 3, 2018 2:07:04 PM
> To: [hidden email]
> Subject: Sending custom transient nameid
>
> Greetings,
>
> There is some SP that requires a urn:oasis:names:tc:SAML:2.0:nameid-
> format:transient nameid with the value of the subject's email
> address. Yes, I know this is wrong. I just need to evaluate all my
> options.
>
> 1. They have included <saml2p:NameIDPolicy AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> in the
> SP request. Is it possible to send instead a
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress nameid in the
> IdP assertion? This link leads me to believe the answer is no (though
> I want to confirm):
> "If a <NameIDPolicy> element with Format is supplied, a suitable
> identifier MUST be generated or an error will be returned."
> https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGeneration
> Configuration
>
> 2. Is it possible to send a subjects email address as a transient
> nameid just for the given SP? What work is involved?
>
> regards,
> Ryan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Sending custom transient nameid

Cantor, Scott E.
> Yes, I tried that and it didn't work.  It still sends the proper transient nameid.

Then you added it in the wrong order relative to what's already there.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Sending custom transient nameid

Ryan Suarez-2
Then you added it in the wrong order relative to what's already there.

I see. I did have to reorder and it works!

    <!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">
    
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:omitQualifiers="true"
            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
            p:attributeSourceIds="#{ {'someAttribute'} }" >
           <property name="activationCondition">
              <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="someSP" />
           </property>
        </bean>
                
        <ref bean="shibboleth.SAML2TransientGenerator" />
        
    </util:list>

I guess it was easier than I thought.

thanks,
Ryan

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]