IDP not releasing eduPersonTargetedID

sa...@sanren.ac.za

unread,

May 12, 2015, 5:42:34 AM5/12/15

to simple...@googlegroups.com

Hi

I am new to simplesamlphp, I have a simplesamlphp SP and IDP setup. Now I want the IDP to release the eduPersonTragetedID or eduPersonPrincipalName.

How do I achieve this?

Regards,

Sakhi

Peter Schober

unread,

May 12, 2015, 6:00:50 AM5/12/15

to simple...@googlegroups.com

Hi Sakhi,

* sa...@sanren.ac.za <sa...@sanren.ac.za> [2015-05-12 11:42]:

> I am new to simplesamlphp, I have a simplesamlphp SP and IDP
> setup. Now I want the IDP to release the eduPersonTragetedID or
> eduPersonPrincipalName.

Such open ended questions are not very suitable for public mailing
lists. Try explaning what you did so far, what instructions you
followed (if not using the official documentation) and what the errors
or problems were you ran into.
Also, from where you intend to get the data (the a SAML IDP often
doesn't have any data of its own, it just fetches them from some
System Of Record and sends them along to SAML SPs).

Best regards and welcome to the community,
-peter

Sakhi Hadebe

unread,

May 14, 2015, 3:42:38 AM5/14/15

to simple...@googlegroups.com

Hi, I am sorry for not providing sufficient information.

We have successfully configured filesender (with simplesamlphp)following this guide ( https://www.assembla.com/wiki/show/file_sender/Installation_-_Linux_Source#install_and_configure_php5 ) and the simplesamlphp IdP ( https://simplesamlphp.org/docs/1.8/simplesamlphp-idp ). There is a discovery service in between. These 3 entities are working fine.

Now we want to get connected to the TNC federated services, i.e. we want to add our IdP to the list of IdP in their site. For this to be achieved our IdP is not releasing any of the required attributes eduPersonTargetedID and eduPersonPrincipalName. Below it shows the attributes released by our IdP.

Your attributes

Mail SHa...@csir.co.za

Given name Sakhi

Common name SHadebe

Surname Hadebe

User ID SHadebe

The problem could be with the LDAP server, where eduPerson* attributes are not defined/configured.

According to my knowledge, mail and eduPersonPrincipalName have the same value which is the email address. Now, I want to map the two attributes and get the eduPersonPrincipalName to be released.

--

Regards,

Sakhi Hadebe

Engineer: South African National Research Network (SANReN)Competency Area, Meraka, CSIR
 
Tel:   +27 12 841 2308
Fax:   +27 12 841 4223
Cell:  +27 71 331 9622
Email: sa...@sanren.ac.za

Shoaib Ali

unread,

May 14, 2015, 4:13:11 AM5/14/15

to simple...@googlegroups.com

Hi Sakhi,

If your user store (ldap) is not giving those attributes you can use core:AttributeMap https://simplesamlphp.org/docs/stable/core:authproc_attributemap

Maybe a filter like below?

'authproc' => array(
    50 => array(
        'class' => 'core:AttributeMap',
        'eduPersonTargetedID' => 'mail'
        'eduPersonPrincipalName' => 'mail',
    ),
),

Sakhi Hadebe

unread,

May 14, 2015, 4:24:55 AM5/14/15

to simple...@googlegroups.com

Hi Shoaib,

I will try it and let you know. Where does this filter goes into? saml20-idp-hosted file or main configuration file config.php?

Shoaib Ali

unread,

May 14, 2015, 9:50:20 PM5/14/15

to simple...@googlegroups.com

The one I have goes in config.php.

Dick Visser

unread,

May 15, 2015, 9:54:50 AM5/15/15

to simplesamlphp

Hi

On 14 May 2015 at 10:13, Shoaib Ali <sho...@catalyst.net.nz> wrote:
> Hi Sakhi,
>
> If your user store (ldap) is not giving those attributes you can use
> core:AttributeMap
> https://simplesamlphp.org/docs/stable/core:authproc_attributemap
>
>
> Maybe a filter like below?
>
> 'authproc' => array(
> 50 => array(
> 'class' => 'core:AttributeMap',
> 'eduPersonTargetedID' => 'mail'

This is actually wrong.
eduPersonTargetedID should be a 'persistent, non-reassigned,
privacy-preserving identifier for a user shared between an identity
provider and service provider'.
The mail attribute is not persistent, it's reassigned, and doesn't
preserve privacy.
So it is probably the worst choice for eduPersonTargetID ;-)

Good news: simleSAMLphp comes out of the box with support for
eduPersonTargetedID:

https://simplesamlphp.org/docs/stable/core:authproc_targetedid

Configure that (properly) and you're all set!

Dick

--
Dick Visser
Sr. System & Networking Engineer
GÉANT, Amsterdam Office (formerly TERENA)
Singel 468D, 1017 AW Amsterdam, the Netherlands
Tel: +31 (0) 20 530 4488

GÉANT
Networks. Services. People.

Learn more at: http://www.géant.org

Peter Schober

unread,

May 15, 2015, 6:31:55 PM5/15/15

to simple...@googlegroups.com

* Sakhi Hadebe <sa...@sanren.ac.za> [2015-05-14 09:42]:

> The problem could be with the LDAP server, where eduPerson*
> attributes are not defined/configured.

If you don't store the attribute values in LDAP (and that's not
feasable for eduPersonTargetedID, as it's defined to be different for
every subject for every SP) you can (or will need) to generate them in
the IDP on the fly.

> According to my knowledge, mail and eduPersonPrincipalName have the
> same value which is the email address.

Not quite, though that's allowed. Here's the spec:
http://macedir.org/specs/eduperson/#eduPersonPrincipalName

Not really the best place for this (feel free to discuss this on the
REFEDS list) but the easiest and traditionally probably most common
way to generate ePPN values is by qualifying the login name (userid,
netid) of the subject with the canonical DNS domain of the
institution, resulting in values looking much like like your email
address.
If you have rules in place that prevent re-assigning of ePPN (or
rather the underlying userid) values from one person to another you'll
save a few headaches later, though (as some services want/need an
identifer that never identifies two different subjects, even over long
periods of time).

> Now, I want to map the two attributes and get the
> eduPersonPrincipalName to be released.

You can either use core:AttributeMap to simply map 'mail' attributes
to eduPersonPrincipalName attributes, or generate ePPNs from e.g. uid:

# config/config.php

'authproc.idp' => array(
10 => array( // define myScope with a static "scope", cf. eduPerson
'class' => 'core:AttributeAdd',
'myScope' => array('sanren.ac.za');
),
11 => array( // create ePPN from uid + myScope
'class' => 'core:ScopeAttribute',
'scopeAttribute' => 'myScope, // defined above
'sourceAttribute' => 'uid', // or cn or sAMAcountname or ...
'targetAttribute' => 'eduPersonPrincipalName',
),

/* At the end of that section don't forget to use the name2oid map:
since eduPerson requires urn:oid naming for use with SAML2. */

99 => array(
'class' => 'core:AttributeMap', 'name2oid',
),

),
etc.

As for eduPersonTargetedID, Dick already pointed you to the
core:TargetedID authproc filter. There's also this:
https://simplesamlphp.org/docs/stable/saml:nameid

If using the core:TargetedID filter be sure to set the optional
parameter "nameId" to TRUE to "generate an Internet2 compatible
eduPersonTargetedID attribute".
(When using the saml:PersistentNameID I'd recommend setting both name
qualifier "common options" to TRUE.)

The default of FALSE for 'nameId' and the "Internet2 compatible
eduPersonTargetedID" wording is unfortunate, as the "MACE-Dir SAML
Attribute Profiles" (URL below) that govern the use of MACE-defined
attributes (i.e. eduPerson) within SAML unambiguously state in
section "3.3.1.1 eduPersonTargetedID" (p.11, from line 390) that:

"The <saml2:AttributeValue> element's content MUST be a <saml2:NameID>
element with a Format XML attribute of
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
http://macedir.org/docs/internet2-mace-dir-saml-attributes-latest.pdf

Also note the name format and attribute encoding settings at the very
end of https://simplesamlphp.org/docs/stable/saml:nameid, you'll also
need those.
-peter

Sakhi Hadebe

unread,

May 18, 2015, 2:50:28 AM5/18/15

to simple...@googlegroups.com

HI Peter,

Thank you so much. will let you know after applying the above

Sakhi Hadebe

unread,

May 20, 2015, 4:16:03 AM5/20/15

to simple...@googlegroups.com

Hi Peter,

Thank you so much, it worked

On Sat, May 16, 2015 at 12:31 AM, Peter Schober <peter....@univie.ac.at> wrote:

Sakhi Hadebe

unread,

Jul 9, 2015, 5:18:30 AM7/9/15

to simple...@googlegroups.com

Hi All,

How can I configure my identity provider to release an eduPersonEntitlement attribute with this value: urn:mace:grnet.gr:eduroam:admin

On Sat, May 16, 2015 at 12:31 AM, Peter Schober <peter....@univie.ac.at> wrote:

Sakhi Hadebe

unread,

Jul 9, 2015, 5:22:34 AM7/9/15

to simple...@googlegroups.com

Hi,

Sorry for not giving sufficient information:

What I have done is to try and release the eduPersonEntitlement on the fly like this:

100 => array('class' => 'core:AttributeAdd', 'eduPersonEntitlement' => 'urn:mace:grnet.gr:eduroam:admin',),

If I verify the attributes release using simplessamlphp, it shows that eduPersonEntitlement attribute is released

Your attributes

`myScope`	csir.co.za
`urn:oid:0.9.2342.19200300.100.1.3`	SHa...@csir.co.za
`urn:oid:2.5.4.42`	Sakhi
`urn:oid:2.5.4.3`	SHadebe
`urn:oid:2.5.4.4`	Hadebe
`urn:oid:0.9.2342.19200300.100.1.1`	SHadebe
`urn:oid:1.3.6.1.4.1.5923.1.1.1.6`	SHa...@csir.co.za
`urn:oid:1.3.6.1.4.1.5923.1.1.1.7`

urn:mace:grnet.gr:eduroam:admin

groups

users
members

Logout

[ Logout ]

About simpleSAMLphp

However the shibboleth SP is still not receiving this attribute

On Sat, May 16, 2015 at 12:31 AM, Peter Schober <peter....@univie.ac.at> wrote:

Thijs Kinkhorst

unread,

Jul 9, 2015, 5:25:53 AM7/9/15

to simple...@googlegroups.com

On 09-07-15 11:22, Sakhi Hadebe wrote:
> What I have done is to try and release the eduPersonEntitlement on the
> fly like this:
>
> 100 => array('class' => 'core:AttributeAdd', 'eduPersonEntitlement' =>
> 'urn:mace:grnet.gr:eduroam:admin',),

You are giving all users in your IdP the "admin" entitlement. This is
not normally something I think you'd want.

> If I verify the attributes release using simplessamlphp, it shows that
> eduPersonEntitlement attribute is released
>
>
> Your attributes
>

> myScope csir.co.za <http://csir.co.za>
> urn:oid:0.9.2342.19200300.100.1.3 SHa...@csir.co.za
> <mailto:SHa...@csir.co.za>

> urn:oid:2.5.4.42 Sakhi
> urn:oid:2.5.4.3 SHadebe
> urn:oid:2.5.4.4 Hadebe
> urn:oid:0.9.2342.19200300.100.1.1 SHadebe
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6 SHa...@csir.co.za

> <mailto:SHa...@csir.co.za>

> urn:oid:1.3.6.1.4.1.5923.1.1.1.7 urn:mace:grnet.gr:eduroam:admin
> groups

> However the shibboleth SP is still not receiving this attribute

Maybe you can check with the Firefox SAML Tracer plugin whether your IdP
actually sends the attribute to the SP so know better where the process
breaks down.

Cheers,
Thijs

signature.asc

Peter Schober

unread,

Jul 9, 2015, 5:29:07 AM7/9/15

to simple...@googlegroups.com

* Sakhi Hadebe <sa...@sanren.ac.za> [2015-07-09 11:18]:

> How can I configure my identity provider to release an
> eduPersonEntitlement attribute with this value:

> *urn:mace:grnet.gr:eduroam:admin*

See my second answer to your question in the thread with the subject
"eduPersonEntitlement" you previously opened:
https://groups.google.com/d/msg/simplesamlphp/fpY0dOKsp30/OpvrqnDOqm0J

So I'd rather change DjNRO to not require that entitlement, that's
pointless, IMO, since all accounts created in DjNRO go through admin
approval anyway, AFAIR.

Unless you don't control the DjNRO instance, of course.
I.e., it's someone else's server.
-peter

Peter Schober

unread,

Jul 9, 2015, 5:35:07 AM7/9/15

to simple...@googlegroups.com

* Sakhi Hadebe <sa...@sanren.ac.za> [2015-07-09 11:22]:

> However the shibboleth SP is still not receiving this attribute

Jfyi and not for this list, but the Shibboleth SP will log recieved
attributes in it's transaction.log, and records ignored attributes
(due to missing mapping, though eduPerson attributes are all mapped by
default) in shibd.log (or shibd_warn.log) in lines with the word
"skipping".
So there is no need for guesswork: You have the IDP's logs, the SP's
logs and the SAML assertion in transit -- though Thijs' suggestion to
grab the SAML message from the browser will usually not show any
attributes, as those will likely be encrypted (if your SP has a
suitable key in its metadata).
-peter

Sakhi Hadebe

unread,

Jul 9, 2015, 5:35:32 AM7/9/15

to simple...@googlegroups.com

Hi Thijs,

I am not clear how to use this plugin SAML Tracer. Can you give some guidance please.

Thijs Kinkhorst

unread,

Jul 9, 2015, 5:38:50 AM7/9/15

to simple...@googlegroups.com

On 09-07-15 11:35, Sakhi Hadebe wrote:
> I am not clear how to use this plugin SAML Tracer. Can you give some
> guidance please.

Google on how to use saml tracer gives me some useful results.

Cheers,
Thijs

signature.asc

Peter Schober

unread,

Jul 9, 2015, 5:46:49 AM7/9/15

to simple...@googlegroups.com

* Thijs Kinkhorst <thijs.k...@surfnet.nl> [2015-07-09 11:38]:

Knowing how to use this tool might be useful in other cases, but I
dounbt it will show attributes in the clear in this case: The Shib SP
automatically generates a key pair for SAML usage and includes it in
its metadata generators, which should be all that SSP needs to encrypt
messages to that SP, making attributes unreadable in the browser).
Going with the IDP's and SP's logs (when you have access to them)
always trumps that.
-peter

Sakhi Hadebe

unread,

Mar 15, 2016, 5:36:09 AM3/15/16

to simple...@googlegroups.com

Hi,

I configured my IDP to release eduPersonPrincipalName on the fly as our LDAP is not releasing one. Below shows how it is oconfigured:

# config/config.php

'authproc.idp' => array(
10 => array( // define myScope with a static "scope", cf. eduPerson
'class' => 'core:AttributeAdd',
'myScope' => array('sanren.ac.za');
),
11 => array( // create ePPN from uid + myScope
'class' => 'core:ScopeAttribute',
'scopeAttribute' => 'myScope, // defined above
'sourceAttribute' => 'uid', // or cn or sAMAcountname or ...
'targetAttribute' => 'eduPersonPrincipalName',
),

/* At the end of that section don't forget to use the name2oid map:
since eduPerson requires urn:oid naming for use with SAML2. */

99 => array(
'class' => 'core:AttributeMap', 'name2oid',
),

),

But now my IdP is no longer releasing this attribute. See below:

Your attributes

Mail `mail`	SHa...@csir.co.za
Given name `givenName`	Sakhi
Common name `cn`	SHadebe
Surname `sn`	Hadebe
User ID `uid`	SHadebe

Logout

[ Logout ]

Can you please help me to get it back to be released again. I have been stucked on this for two days now.

On Sat, May 16, 2015 at 12:31 AM, Peter Schober <peter....@univie.ac.at> wrote:

Peter Schober

unread,

Mar 15, 2016, 6:13:12 AM3/15/16

to Sakhi Hadebe

* Sakhi Hadebe <sa...@sanren.ac.za> [2016-03-15 10:36]:

> I configured my IDP to release eduPersonPrincipalName on the fly as our
> LDAP is not releasing one. Below shows how it is oconfigured:

[...]

> Can you please help me to get it back to be released again. I have been
> stucked on this for two days now.

Almost a year ago you wrote:

* Sakhi Hadebe <sa...@sanren.ac.za> [2015-05-20 10:16]:

> Hi Peter,
>
> Thank you so much, it worked

So why not follow the original instructions, again, as those got you a
working config before? Did you change anything here (I'm not about to
diff the config you sent with the one I posted, anyone can do that,
including you)? Or maybe some other change caused the lack of release?
What SP are you testing this with and to what SPs should it be
released? What do your log files say?

Lots of questions for you to answer that should get you on the right path.

Best regads,
-peter

Sakhi Hadebe

unread,

Jun 9, 2016, 5:35:05 AM6/9/16

to simple...@googlegroups.com

Hi All,

One of our identity providers is not releasing the eduPersonPrincipalName attribute. I have tried to use the scopeAttribute with no success. The email structure of the institution is givenN...@institution.ac.za

My problem is in defining the sourceAttribute.

Can someone help please.

Thank you in advance.

Peter Schober

unread,

Jun 9, 2016, 6:04:05 AM6/9/16

to simple...@googlegroups.com

Heita,

It may be better to start a new thread for new and unrelated
discussions. That makes it easier for everyone to see your new
question and voids it getting burried in an old thread (which in this
case started over a year ago).

* Sakhi Hadebe <sa...@sanren.ac.za> [2016-06-09 11:35]:

> One of our identity providers is not releasing the
> eduPersonPrincipalName attribute. I have tried to use the
> scopeAttribute with no success. The email structure of the
> institution is givenN...@institution.ac.za My problem is in
> defining the sourceAttribute.

Are you asking how to construct an appropriate eduPersonPrincipalName
attribute? If so have a look at the relevant specification, at:
http://macedir.org/specs/eduperson/#eduPersonPrincipalName
The eduPerson spec suggests that this is a name-based attribute:

"Syntactically, ePPN looks like an email address but is not intended
to be a person's published email address or be used as an email
address. In general, name-based identifiers tend to be subject to some
degree of expected change and/or reassignment.

Values of eduPersonPrincipalName are often, but not required to be,
human-friendly, and may change as a result of various business
processes. They may also be reassigned after a locally-defined period
of dormancy ..."

So I would suggest to re-use the value of email as ePPN values,
verbatim.

Does that answer your question?
If not, please provide more details and more context.
-peter

Reply all

Reply to author

Forward