NameIDFormat emailAddress SAML:2.0 (?)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

NameIDFormat emailAddress SAML:2.0 (?)

Alan Angulo (live@edu admin)
Dear Shibboleth community,
I have a vendor requesting to pass the emailAddress in the NameID subject of our SAML response.
The user authenticates correctly but right after the browser goes into an infinite redirect.

The log entries show a warning regarding an unsupportable identifier: 
"2019-11-22 15:40:51,583 - 192.148.111.xxx - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] ​
- Profile Action AddNameIDToSubjects: ​
Request specified use of an unsupportable identifier format: ​
urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"

The vendor's metadata has this entry:
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</md:NameIDFormat>

I suspect the vendor's metadata is referencing the wrong NameIDFormat in his metadata. I am thinking it should be this:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

since that's the format stated in the saml-nameid.xml config file of the Shibboleth IdP 3.4.6

Can someone confirm that this is the cause of the problem?

Thanks!


~Alan Angulo

Senior Systems Administrator / Office 365 Administrator

East Stroudsburg University | 570-422-3783 | [hidden email] | [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: NameIDFormat emailAddress SAML:2.0 (?)

Peter Schober
* Alan Angulo (Office365 admin) <[hidden email]> [2019-11-22 22:06]:
> The user authenticates correctly but right after the browser goes
> into an infinite redirect.

Looping can have many possible reasons -- cf. the Shibboleth SP's own
documentation[1] on looping with that software implementation -- but
an SP expecting something (here: a NameID in a certain format) and
your IDP not sending it (here: because it's bogus) is certainly
possible.

> The vendor's metadata has this entry:
> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</md:NameIDFormat>
>
> I suspect the vendor's metadata is referencing the wrong
> NameIDFormat in his metadata. I am thinking it should be this:
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Indeed, see 8.3.2 on p.85 of SAML Core:
https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf

> Can someone confirm that this is the cause of the problem?

Not quite, it may also be looping for any number of other reasons.
But lacking evidence wrt anything else being wrong/off that's one
place to start.
(You could configure your IDP to send the bogus format just to find
out whether, but don't tell the SP -- or your boss -- you got it
working, otherwise chances are slim the SP has motivation to fix it.)

-peter

[1] https://wiki.shibboleth.net/confluence/display/SP3/Looping
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]