urn:mace:shibboleth:1.0:nameIdentifier in 4.0.1 / SAML 2 ?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

urn:mace:shibboleth:1.0:nameIdentifier in 4.0.1 / SAML 2 ?

Louis Chanouha

Hello,
I'm experiencing issues with Shibboleth 4. It doesn't accept "urn:mace:shibboleth:1.0:nameIdentifier" namePolicy.
Did someone successfully made a urn:mace:shibboleth:1.0:nameIdentifier return a transient id ?

I don't known, as SAML1NameIdentifier and SAML2NameID doesn't exist anymore on AttributeDefinition/xsi:type on 4.x, how to to provide both urn:mace:shibboleth:1.0:nameIdentifier and urn:oasis:names:tc:SAML:2.0:nameid-format:transient on SAMLv2 as we have several services requesting this old value.

Some advices would be very very appreciated as i spend the whole day exploring all Shibb 4 doc not findind any tiny path.

See below my current conf.
I use internet2's Shibboleth 4.0.1 (https://hub.docker.com/r/tier/shib-idp)

Everything else is working very well.

Sorry for my english,
Thanks,
Louis

Request from SP

shib-idp;idp-process.log;dev;nothing;<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="xxxxx" Destination="https://yyyyy.fr/idp/profile/SAML2/Redirect/SSO" ID="ONELOGIN_3df62681-dffc-41e5-8522-251dd0165329" IssueInstant="2021-01-07T16:48:13Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="yyyy" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
shib-idp;idp-process.log;dev;nothing;    <saml:Issuer>https://xxxx</saml:Issuer>
shib-idp;idp-process.log;dev;nothing;    <samlp:NameIDPolicy AllowCreate="true" Format="urn:mace:shibboleth:1.0:nameIdentifier"/>
shib-idp;idp-process.log;dev;nothing;    <samlp:RequestedAuthnContext Comparison="exact">
shib-idp;idp-process.log;dev;nothing;        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
shib-idp;idp-process.log;dev;nothing;        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
shib-idp;idp-process.log;dev;nothing;    </samlp:RequestedAuthnContext>
shib-idp;idp-process.log;dev;nothing;</samlp:AuthnRequest>

Problem starts here:

shib-idp;idp-process.log;dev;nothing;2021-01-07 17:19:03,128 - 172.17.0.1 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:111] - Profile Action AddAttributeStatementToAssertion: Adding constructed AttributeStatement to Assertion _4a13c09af3bd47eac716494229bf5b8b
shib-idp;idp-process.log;dev;nothing;2021-01-07 17:19:03,150 - 172.17.0.1 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier
shib-idp;idp-warn.log;dev;nothing;2021-01-07 17:19:03,150 - 172.17.0.1 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier

And the IDP return an login error

shib-idp;idp-process.log;dev;nothing;        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
shib-idp;idp-process.log;dev;nothing;            <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
shib-idp;idp-process.log;dev;nothing;        </saml2p:StatusCode>
shib-idp;idp-process.log;dev;nothing;        <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
shib-idp;idp-process.log;dev;nothing;    </saml2p:Status>

I have the following conf:

[saml-nameid.xml]
    <!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">

        <ref bean="shibboleth.SAML2TransientGenerator" />

        <!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
        <ref bean="shibboleth.SAML2PersistentGenerator" />

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'mail'} }" />

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:mace:shibboleth:1.0:nameIdentifier"
            p:attributeSourceIds="#{ {'mail'} }" />

    </util:list>

    <!-- SAML 1 NameIdentifier Generation -->
    <util:list id="shibboleth.SAML1NameIdentifierGenerators">

        <ref bean="shibboleth.SAML1TransientGenerator" />

        <!--
        <bean parent="shibboleth.SAML1AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'mail'} }" />
        -->

    </util:list>

[saml-nameid.conf]
idp.transientId.generator = shibboleth.CryptoTransientIdGenerator

tried:
idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
idp.nameid.saml2.default = urn:mace:shibboleth:1.0:nameIdentifier

without success

I tried to send invalid data, conf file works well, nameid generators looks loaded

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:mace:shibboleth:1.0:nameIdentifier"
            p:attributeSourceIds="#{ {'mail'} }" />

shib-idp;idp-process.log;dev;nothing;2021-01-07 17:20:54,541 - 172.17.0.1 - DEBUG [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:191] - Checking for source attribute mail
shib-idp;idp-process.log;dev;nothing;2021-01-07 17:20:54,542 - 172.17.0.1 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:221] - Attribute sources [mail] did not produce a usable identifier
shib-idp;idp-process.log;dev;nothing;2021-01-07 17:20:54,542 - 172.17.0.1 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier
shib-idp;idp-warn.log;dev;nothing;2021-01-07 17:20:54,542 - 172.17.0.1 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:mace:shibboleth:1.0:nameIdentifier
shib-idp;idp-process.log;dev;nothing;2021

i think I have all the mandatory declaration:

./metadata/idp-metadata.xml:        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
./metadata/idp-metadata.xml:        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
./dist/conf/saml-nameid.properties:#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
./dist/conf/audit.xml:        <entry key="urn:mace:shibboleth:1.0:nameIdentifier" value="transient" />
./system/flows/saml/saml-abstract-beans.xml:                        <value>urn:mace:shibboleth:1.0:nameIdentifier</value>
./system/flows/saml/saml1/sso-abstract-beans.xml:                p:defaultFormat="%{idp.nameid.saml1.default:urn:mace:shibboleth:1.0:nameIdentifier}" />
./system/flows/admin/resolvertest-beans.xml:                    p:defaultFormat="%{idp.nameid.saml1.default:urn:mace:shibboleth:1.0:nameIdentifier}">
./system/conf/subject-c14n-system.xml:        p:formats="#{ {'urn:mace:shibboleth:1.0:nameIdentifier'} }" />
./system/conf/subject-c14n-system.xml:        p:formats="#{ {'urn:mace:shibboleth:1.0:nameIdentifier'} }" />
./conf/saml-nameid.xml:            p:format="urn:mace:shibboleth:1.0:nameIdentifier"
./conf/saml-nameid.properties:idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
./conf/saml-nameid.properties:idp.nameid.saml2.default = urn:mace:shibboleth:1.0:nameIdentifier
./conf/audit.xml:        <entry key="urn:mace:shibboleth:1.0:nameIdentifier" value="transient" />


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]