I have a need to construct a nameID using urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress format but actually based on a kerberos principal. This is to satisfy an SP that wants an emailAddress for the NameID, but need to present one that is immutable since users can change their primary email address.
Putting aside the why for now...my problem is that the desired NameID strips off the domain portion of the value.
I have built a new attribute on which the new nameID is based:
<resolver:AttributeDefinition id="krb-spn"
xsi:type="Scoped"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
scope="upenn.edu"
sourceAttributeID="uid">
<resolver:Dependency ref="incommunity" />
<resolver:AttributeEncoder name="urn:mace:dir:attribute-def:mail"
xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
scopeType="inline" />
<resolver:AttributeEncoder name="urn:oid:0.9.2342.19200300.100.1.3"
xsi:type="SAML2ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
scopeType="inline"
friendlyName="krb-spn" />
</resolver:AttributeDefinition>
and with the proper entry in attribute-filter that attribute is released in the format desired:
<saml2:Attribute FriendlyName="krb-spn"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
>phei@upenn.edu</saml2:AttributeValue
However, if I plug that attribute into the nameID block as the source for the desired nameID,
<resolver:AttributeDefinition id="krbNameID"
xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="krb-spn">
<resolver:Dependency ref="krb-spn"/>
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</resolver:AttributeDefinition>
only the first part (username) is presented:
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="
https://idp.net.isc.upenn.edu/idp/shibboleth" SPNameQualifier="
https://shibdev3.net.isc.upenn.edu/shibboleth" >phei</saml2:NameID>
Using an existing email attribute as the source in the NameID definition returns the full address.
<resolver:AttributeDefinition id="krbNameID"
xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="email">
<resolver:Dependency ref="email"/>
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="email"
xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="mail">
<resolver:Dependency ref="incommunity" />
<resolver:AttributeEncoder name="urn:mace:dir:attribute-def:mail"
xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" />
<resolver:AttributeEncoder name="urn:oid:0.9.2342.19200300.100.1.3"
xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
friendlyName="mail" />
</resolver:AttributeDefinition>
will return the formatted address:
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="
https://idp.net.isc.upenn.edu/idp/shibboleth" SPNameQualifier="
https://shibdev3.net.isc.upenn.edu/shibboleth" >phei@isc.upenn.edu</saml2:NameID>
Why in the first instance is the domain portion being removed? Wouldn't the NameID attribute processing simply take whatever is defined by the source attribute? Or does it process farther down to the original source-of-the-source?
Thanks,
Peter
Locked
