eduPersonTargetedID not being sent as persistent

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

eduPersonTargetedID not being sent as persistent

mhc-shib-admin
Hi Folks-

I am setting up our IDP (v3.3) to work with Everfi. They are asking for a
persistent nameID so I am sending them eduPersonTargetedID. On examining the
SAML, I find this:

<saml2:Subject>
            <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                NameQualifier="https://sso.mtholyoke.edu/idp/shibboleth"
               
SPNameQualifier="https://admin.fifoundry.net/mount_holyoke_college/saml/sp">AAdzZWN....</saml2:NameID>
</saml2:Subject>

I didn't this was possible but as it, apparently is, can anyone suggest how
I can change it to persistent?

Thanks very much.



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: eduPersonTargetedID not being sent as persistent

James Oulman
My notes from our integration with EverFi is that they want a persistent id in the format of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

We added a SAML2NameId Generator to saml-nameid.xml to send them EPPN

       <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
             p:omitQualifiers="true"
             p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
             p:attributeSourceIds="#{ {'eduPersonPrincipalName'} }">
         <property name="activationCondition">
            <bean parent="shibboleth.Conditions.RelyingPartyId"
                  c:candidates="#{{
                    'https://fifoundry.net/saml/sp'
                  }}"/>
         </property>
       </bean>

And then configured the relying-party to force unspecified and disable encryption of NameIDs.

      <bean parent="RelyingPartyByName"
            c:relyingPartyIds="#{{
                                  'https://fifoundry.net/saml/sp'
                                }}" >
         <property name="profileConfigurations">
            <list>
               <bean parent="SAML2.SSO"
                     p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                     p:signResponses="true"
                     p:signAssertions="true"
                     p:encryptAssertions="true"
                     p:encryptNameIDs="false" />
               <bean parent="SAML2.ECP"
                     p:signResponses="true"
                     p:signAssertions="true"
                     p:encryptAssertions="true"
                     p:encryptNameIDs="false" />
            </list>
         </property>
      </bean>

-James


From: users <[hidden email]> on behalf of mhc-shib-admin <[hidden email]>
Sent: Wednesday, January 8, 2020 9:43 AM
To: [hidden email] <[hidden email]>
Subject: eduPersonTargetedID not being sent as persistent
 
[External Email]

Hi Folks-

I am setting up our IDP (v3.3) to work with Everfi. They are asking for a
persistent nameID so I am sending them eduPersonTargetedID. On examining the
SAML, I find this:

<saml2:Subject>
            <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                NameQualifier="https://urldefense.proofpoint.com/v2/url?u=https-3A__sso.mtholyoke.edu_idp_shibboleth&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=_L7sACgIQaR0AZonCJxTrg&m=cDucy65-TFMRxFpieoaTxjzjI0PaSXLMUElCQxSXiFs&s=L7ZSO0pmrFS5YjcVKJ-lAV7uNO9bhwaXLvcLF7-znmM&e= "

SPNameQualifier="https://urldefense.proofpoint.com/v2/url?u=https-3A__admin.fifoundry.net_mount-5Fholyoke-5Fcollege_saml_sp&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=_L7sACgIQaR0AZonCJxTrg&m=cDucy65-TFMRxFpieoaTxjzjI0PaSXLMUElCQxSXiFs&s=gJbUKDlwQqznGSaKjRAUJe6Fpkpnz_VbzTW9lFFN-kc&e= ">AAdzZWN....</saml2:NameID>
</saml2:Subject>

I didn't this was possible but as it, apparently is, can anyone suggest how
I can change it to persistent?

Thanks very much.



--
Sent from: https://urldefense.proofpoint.com/v2/url?u=https-3A__shibboleth.1660669.n2.nabble.com_Shibboleth-2DUsers-2Df1660767.html&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=_L7sACgIQaR0AZonCJxTrg&m=cDucy65-TFMRxFpieoaTxjzjI0PaSXLMUElCQxSXiFs&s=arHFi2oZD-wi9y6RYRLHx9rImGhNlT1prglqq0t2RGE&e=
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=_L7sACgIQaR0AZonCJxTrg&m=cDucy65-TFMRxFpieoaTxjzjI0PaSXLMUElCQxSXiFs&s=cDJS6M5Z1rWcRQMTYBJZvJMFSOB7BH8q-kG9xoS1oeA&e=
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: eduPersonTargetedID not being sent as persistent

Mak, Steve
In reply to this post by mhc-shib-admin
If this is through InCommon, EverFi does not seem to declare a NameIDFormat preference which will resolve to "unspecified" to the IdP logic without some additional work.

You would need to set a relying party override for this entity ID to force the NameID Format to a persistent type, and combine that with a properly defined generated nameid with persistent format sourced from your TargetedID attribute and a filter release that enables the attribute.

That should allow the IdP to "pick" the persistent NameID from the pool of attributes.

On 1/8/20, 09:43, "users on behalf of mhc-shib-admin" <[hidden email] on behalf of [hidden email]> wrote:

Hi Folks-

I am setting up our IDP (v3.3) to work with Everfi. They are asking for a
persistent nameID so I am sending them eduPersonTargetedID. On examining the
SAML, I find this:

<saml2:Subject>
            <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                NameQualifier="https://sso.mtholyoke.edu/idp/shibboleth"
               
SPNameQualifier="https://admin.fifoundry.net/mount_holyoke_college/saml/sp">AAdzZWN....</saml2:NameID>
</saml2:Subject>

I didn't this was possible but as it, apparently is, can anyone suggest how
I can change it to persistent?

Thanks very much.



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: eduPersonTargetedID not being sent as persistent

Cantor, Scott E.
On 1/8/20, 11:36 AM, "users on behalf of Mak, Steve" <[hidden email] on behalf of [hidden email]> wrote:

> If this is through InCommon, EverFi does not seem to declare a NameIDFormat preference which will resolve to
> "unspecified" to the IdP logic without some additional work.

InCommon actually doesn't support the insertion of NameIDFormat elements into its metadata, though the other eduGAIN-imported metadata does have some.

The reasoning for that is multi-fold:

- NameIDs are bad, wrong, a pain in the ass, best-avoided, never use them, etc., so encouraging any use of them is the last thing federations should do
- Practically speaking, most actual requirements for NameID are from commercial vendors without well-defined or even in some cases logical approaches to user identification, and tend to just want "whatever, just send us the email in it" or misuses of the Formats or other anti-patterns
- The most common case is for the particular Format to use to depend on the overall provisioining integration with the service and often will be IdP-specific, so it doesn't work to dictate the Format in metadata shared through a federation for consumption by multiple IdPs

So in the end, I actively discouraged InCommon supporting the element the last time it was discussed.

FWIW.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: eduPersonTargetedID not being sent as persistent

mhc-shib-admin
In reply to this post by James Oulman
Thanks to everyone for their help and suggestions:

I've managed to produce the following:

<saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml2:AttributeValue>
                    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                        NameQualifier="https://sso.mtholyoke.edu/idp/shibboleth"
                        SPNameQualifier="https://admin.fifoundry.saml.../sp">w8L...</saml2:NameID>
                </saml2:AttributeValue>
            </saml2:Attribute>

Using the information on this page:

As well as the suggestions from James above.

Thing is we still can't log into Everfi. The only troubling piece of information I have is from idp-process.log:

2020-01-09 16:54:49,199 - INFO [Shibboleth-Audit.SSO:275] - 20200109T215449Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|***|<a href="https://admin.fifoundry.net/saml/sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://sso.mtholyoke.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|***|cswoods|urn:oasis:names:tc:SAML:2.0:ac:classes:Password|eduPersonTargetedID,surname,givenName,email||***">https://admin.fifoundry.net/saml/sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://sso.mtholyoke.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|***|cswoods|urn:oasis:names:tc:SAML:2.0:ac:classes:Password|eduPersonTargetedID,surname,givenName,email||***

If I understand the second from last field should show the value passed for NameID and that field is empty. I'm a bit confused as to how the SAML assertion could contain a NameID but somehow my own IDP thinks (or knows) that we are passing nothing to the SP.

Thanks again for past and future help.

-Chris
-----------------------------------------------
Chris Woods, CISSP
He/him/his pronouns
Systems Administrator
Library, Information, and Technology Services
Mount Holyoke College
South Hadley, MA

413-538-3536
[hidden email]
-----------------------------------------------


On Wed, Jan 8, 2020 at 11:26 AM Oulman,James F <[hidden email]> wrote:
My notes from our integration with EverFi is that they want a persistent id in the format of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

We added a SAML2NameId Generator to saml-nameid.xml to send them EPPN

       <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
             p:omitQualifiers="true"
             p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
             p:attributeSourceIds="#{ {'eduPersonPrincipalName'} }">
         <property name="activationCondition">
            <bean parent="shibboleth.Conditions.RelyingPartyId"
                  c:candidates="#{{
                    'https://fifoundry.net/saml/sp'
                  }}"/>
         </property>
       </bean>

And then configured the relying-party to force unspecified and disable encryption of NameIDs.

      <bean parent="RelyingPartyByName"
            c:relyingPartyIds="#{{
                                  'https://fifoundry.net/saml/sp'
                                }}" >
         <property name="profileConfigurations">
            <list>
               <bean parent="SAML2.SSO"
                     p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                     p:signResponses="true"
                     p:signAssertions="true"
                     p:encryptAssertions="true"
                     p:encryptNameIDs="false" />
               <bean parent="SAML2.ECP"
                     p:signResponses="true"
                     p:signAssertions="true"
                     p:encryptAssertions="true"
                     p:encryptNameIDs="false" />
            </list>
         </property>
      </bean>

-James


From: users <[hidden email]> on behalf of mhc-shib-admin <[hidden email]>
Sent: Wednesday, January 8, 2020 9:43 AM
To: [hidden email] <[hidden email]>
Subject: eduPersonTargetedID not being sent as persistent
 
[External Email]

Hi Folks-

I am setting up our IDP (v3.3) to work with Everfi. They are asking for a
persistent nameID so I am sending them eduPersonTargetedID. On examining the
SAML, I find this:

<saml2:Subject>
            <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                NameQualifier="https://urldefense.proofpoint.com/v2/url?u=https-3A__sso.mtholyoke.edu_idp_shibboleth&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=_L7sACgIQaR0AZonCJxTrg&m=cDucy65-TFMRxFpieoaTxjzjI0PaSXLMUElCQxSXiFs&s=L7ZSO0pmrFS5YjcVKJ-lAV7uNO9bhwaXLvcLF7-znmM&e= "

SPNameQualifier="https://urldefense.proofpoint.com/v2/url?u=https-3A__admin.fifoundry.net_mount-5Fholyoke-5Fcollege_saml_sp&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=_L7sACgIQaR0AZonCJxTrg&m=cDucy65-TFMRxFpieoaTxjzjI0PaSXLMUElCQxSXiFs&s=gJbUKDlwQqznGSaKjRAUJe6Fpkpnz_VbzTW9lFFN-kc&e= ">AAdzZWN....</saml2:NameID>
</saml2:Subject>

I didn't this was possible but as it, apparently is, can anyone suggest how
I can change it to persistent?

Thanks very much.



--
Sent from: https://urldefense.proofpoint.com/v2/url?u=https-3A__shibboleth.1660669.n2.nabble.com_Shibboleth-2DUsers-2Df1660767.html&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=_L7sACgIQaR0AZonCJxTrg&m=cDucy65-TFMRxFpieoaTxjzjI0PaSXLMUElCQxSXiFs&s=arHFi2oZD-wi9y6RYRLHx9rImGhNlT1prglqq0t2RGE&e=
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=_L7sACgIQaR0AZonCJxTrg&m=cDucy65-TFMRxFpieoaTxjzjI0PaSXLMUElCQxSXiFs&s=cDJS6M5Z1rWcRQMTYBJZvJMFSOB7BH8q-kG9xoS1oeA&e=
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: eduPersonTargetedID not being sent as persistent

Cantor, Scott E.
That is not a NameID. That's a an Attribute with a NameID as a value.

Persistent NameID generation is here:
https://wiki.shibboleth.net/confluence/display/IDP30/PersistentNameIDGenerationConfiguration

NameID Format selection (to get it to use "persistent") is here:
https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration

For an InCommon service, you have two options to get format selection to work:

- create a relying party override with a nameIDFormatPrecedence setting, documented at length with numerous examples throughout the wiki
- add a NameIDFormat MetadataFilter to the InCommon metadata configuration to add the format to the relevant SP metadata

-- Scott



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]