saml:Issuer format in saml response

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

saml:Issuer format in saml response

Redmond Militante

We are attempting to make our 2.1 IdP work with a non-shib saml consumer product.  We are debugging error messages on the service provider end regarding 'the SAML Response issuer's entity id did not match', something to that effect.  Our third party vendor thinks that this may be due to how saml:Issuer looks in the SAML Responses he is receiving from us, which look like

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response Destination="https://sp.com/sso/ACS" ID="_6eb6e3be68c51a90602b7edddfca901c" InResponseTo="_efb7bc71297fee9491f8f62b6f7a1bb8" IssueInstant="2009-06-12T19:21:18.279Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:mace:incommon:uchicago.edu</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_0cd68ff7534d9dbc240037ff5a45b590" IssueInstant="2009-06-12T19:21:18.279Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:incommon:uchicago.edu</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>


in particular, he'd like us to format these two lines

<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:mace:incommon:uchicago.edu</saml:Issuer>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:incommon:uchicago.edu</saml:Issuer>

so that they match, preferably something like

<saml:Issuer>urn:mace:incommon:uchicago.edu</saml:Issuer>

Is it possible to configure the IdP to format saml:Issuer in SAML Responses this way?  It doesn't seem like something that is commonly done, and even if it is I'm not sure how it would impact any of the other bilateral trust relationships we have configured on our IdP, and if this is not possible I'd like to be able to go back to them with a definitive answer that this is not possible.  

Thanks for any advice,
R.

--
Redmond Militante NSIT/NBS The University of Chicago
PGP Public Key: <http://home.uchicago.edu/~rjm/pubkey.asc>
Reply | Threaded
Open this post in threaded view
|

RE: saml:Issuer format in saml response

Cantor, Scott E.
> in particular, he'd like us to format these two lines
>
> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:mace:incommon:uchicag
> o.edu</saml:Issuer>
> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
> format:entity">urn:mace:incommon:uchicago.edu</saml:Issuer>
>
> so that they match, preferably something like
>
> <saml:Issuer>urn:mace:incommon:uchicago.edu</saml:Issuer>

Those are equivalent in SAML terms. The first two are also equivalent in XML
terms except that the namespace has to be present if it's not declared up
above. The latter is equivalent only because of SAML language in the profile
allowing the Issuer Format to be defaulted.

> Is it possible to configure the IdP to format saml:Issuer in SAML
Responses
> this way?

No, we don't allow that level of control.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: saml:Issuer format in saml response

Redmond Militante
In reply to this post by Redmond Militante


Thanks again Scott.

+++ Scott Cantor <[hidden email]> [09/06/16 08:19]:

> > in particular, he'd like us to format these two lines
> >
> > <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
> >
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:mace:incommon:uchicag
> > o.edu</saml:Issuer>
> > <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
> > format:entity">urn:mace:incommon:uchicago.edu</saml:Issuer>
> >
> > so that they match, preferably something like
> >
> > <saml:Issuer>urn:mace:incommon:uchicago.edu</saml:Issuer>
>
> Those are equivalent in SAML terms. The first two are also equivalent in XML
> terms except that the namespace has to be present if it's not declared up
> above. The latter is equivalent only because of SAML language in the profile
> allowing the Issuer Format to be defaulted.
>
> > Is it possible to configure the IdP to format saml:Issuer in SAML
> Responses
> > this way?
>
> No, we don't allow that level of control.
>
> -- Scott
>

--
Redmond Militante NSIT/NBS The University of Chicago
PGP Public Key: <http://home.uchicago.edu/~rjm/pubkey.asc>
Reply | Threaded
Open this post in threaded view
|

Re: saml:Issuer format in saml response

Redmond Militante


On a related note, our vendor is now inquiring if it is possible to remove InResponseTo from our saml responses

      <samlp:Response Destination="https://sp.com/sso/ACS"
      ID="_bb319ea3b5956a6e14cf69ac9259e1af"
      InResponseTo="_40a0a044fb5e6867d2be5bbe1ad11857"
      IssueInstant="2009-06-12T18:49:32.616Z" Version="2.0"
      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

      <saml:SubjectConfirmationData Address="128.135.0.26"
      InResponseTo="_40a0a044fb5e6867d2be5bbe1ad11857"
      NotOnOrAfter="2009-06-12T18:54:32.616Z" Recipient="
      https://sp.com/sso/ACS"/>

so they look like


      <samlp:Response Destination="https://sp.com/sso/ACS"
      ID="_bb319ea3b5956a6e14cf69ac9259e1af"
      IssueInstant="2009-06-12T18:49:32.616Z" Version="2.0"
      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

      <saml:SubjectConfirmationData Address="128.135.0.26"
      NotOnOrAfter="2009-06-12T18:54:32.616Z" Recipient="
      https://sp.com/sso/ACS"/>

is this non configurable as well?

Thanks,
R.


+++ Redmond Militante <[hidden email]> [09/06/16 09:12]:

>
>
> Thanks again Scott.
>
> +++ Scott Cantor <[hidden email]> [09/06/16 08:19]:
> > > in particular, he'd like us to format these two lines
> > >
> > > <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
> > >
> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:mace:incommon:uchicag
> > > o.edu</saml:Issuer>
> > > <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
> > > format:entity">urn:mace:incommon:uchicago.edu</saml:Issuer>
> > >
> > > so that they match, preferably something like
> > >
> > > <saml:Issuer>urn:mace:incommon:uchicago.edu</saml:Issuer>
> >
> > Those are equivalent in SAML terms. The first two are also equivalent in XML
> > terms except that the namespace has to be present if it's not declared up
> > above. The latter is equivalent only because of SAML language in the profile
> > allowing the Issuer Format to be defaulted.
> >
> > > Is it possible to configure the IdP to format saml:Issuer in SAML
> > Responses
> > > this way?
> >
> > No, we don't allow that level of control.
> >
> > -- Scott
> >
>
> --
> Redmond Militante NSIT/NBS The University of Chicago
> PGP Public Key: <http://home.uchicago.edu/~rjm/pubkey.asc>

--
Redmond Militante NSIT/NBS The University of Chicago
PGP Public Key: <http://home.uchicago.edu/~rjm/pubkey.asc>
Reply | Threaded
Open this post in threaded view
|

RE: saml:Issuer format in saml response

Cantor, Scott E.
Redmond Militante wrote on 2009-06-17:
>
> On a related note, our vendor is now inquiring if it is possible to remove
> InResponseTo from our saml responses

The profile requires including the attribute if the response is generated by
a request, and the IdP doesn't support any other way of asking it to
generate a response. So it's a catch-22.

> is this non configurable as well?

It's more that we don't support unsolicited responses.
 
-- Scott