Including NameID format in generated SAML2 metadata
291 views
Skip to first unread message
Glenn Wearen
Nov 29, 2013, 7:25:40 AM11/29/13
to simple...@googlegroups.com
HI,
I've added 'saml:NameIDPolicy' => 'persistent' to my authsouces.php file, I expected that this would add <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> expected to the metadata generated from http://host/path/module.php/saml/sp/metadata.php/default-sp
If I'm wrong in my understanding, perhaps there's another way to achieve this?
Glenn
HEAnet Limited, Ireland's Education and Research Network -
HEAnet Limited, Ireland's Education and Research Network -
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301 tel: +353-1-6609040 fax: +353-1-6603666
Alice Vixie
Dec 4, 2013, 11:56:09 AM12/4/13
to simple...@googlegroups.com
Hey, I need to get it to my IdP's metadata! Just adding
// PersistentNameID
75 => array(
'class' => 'saml:PersistentNameID',
'attribute' => 'generationalQualifier',
),
to authproc.idp doesn't do the trick is suggested here and I am clueless now
Peter Schober
Dec 5, 2013, 4:06:40 AM12/5/13
to simple...@googlegroups.com
* Alice Vixie <id81...@gmail.com> [2013-12-04 18:22]:
> to authproc.idp doesn't do the trick is suggested here<http://simplesamlphp.org/docs/trunk/saml:nameid> and
> I am clueless now
That documentation is for enabling the generation of those NameIDs,
not the generation of SAML metadata elements.
Unless you're letting others pull metadata directly from your SSP
metadata endpoint (which provides no trust in any of the contained
information, so is rather pointless, IMO) you can easily add any
necessary NameIDFormat elements to the metadata XML before you pass it
on, e.g.
As to how to make SSP to do that, I don't know, sorry.
-peter
> I am clueless now
That documentation is for enabling the generation of those NameIDs,
not the generation of SAML metadata elements.
Unless you're letting others pull metadata directly from your SSP
metadata endpoint (which provides no trust in any of the contained
information, so is rather pointless, IMO) you can easily add any
necessary NameIDFormat elements to the metadata XML before you pass it
on, e.g.
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
before the IdP's <SingleSignOnService> element.
As to how to make SSP to do that, I don't know, sorry.
-peter
Brook Schofield
Dec 5, 2013, 5:13:31 AM12/5/13
to simple...@googlegroups.com
In metadata/saml20-idp-hosted.php you need to set:
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
within your metadata array. This is NOT documented at:'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
patches welcome.
-Brook
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.
--
===================================================
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488 Fax +31 20 530 4499 Mob +31 65 155 3991
www.terena.org
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488 Fax +31 20 530 4499 Mob +31 65 155 3991
www.terena.org
Jaime Pérez Crespo
Dec 9, 2013, 9:37:14 AM12/9/13
to simple...@googlegroups.com
Hi,
On 05 Dec 2013, at 11:13 am, Brook Schofield <scho...@terena.org> wrote:
> In metadata/saml20-idp-hosted.php you need to set:
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
>
> within your metadata array. This is NOT documented at:
> http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
>
> patches welcome.
Thanks for noticing Brook. I’ve just updated the documentation in trunk to reflect the use (up to date) of the NameIDFormat directive:
http://simplesamlphp.org/docs/trunk/simplesamlphp-reference-idp-hosted
http://simplesamlphp.org/docs/trunk/saml:sp
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 05 Dec 2013, at 11:13 am, Brook Schofield <scho...@terena.org> wrote:
> In metadata/saml20-idp-hosted.php you need to set:
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
>
> within your metadata array. This is NOT documented at:
> http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
>
> patches welcome.
http://simplesamlphp.org/docs/trunk/simplesamlphp-reference-idp-hosted
http://simplesamlphp.org/docs/trunk/saml:sp
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Jaime Pérez Crespo
Dec 9, 2013, 9:45:37 AM12/9/13
to simple...@googlegroups.com
Hi Glenn,
On 29 Nov 2013, at 13:25 pm, Glenn Wearen <glenn....@heanet.ie> wrote:
> HI,
> I've added 'saml:NameIDPolicy' => 'persistent' to my authsouces.php file, I expected that this would add <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> expected to the metadata generated from http://host/path/module.php/saml/sp/metadata.php/default-sp
>
> If I'm wrong in my understanding, perhaps there's another way to achieve this?
Unfortunately you are not wrong, nor there’s (was) a way to do that. I believe this was possible with the old code, but it must have been lost in the transition to the current one.
Fortunately, it’s something very easy to fix indeed, so I’ve just solved the problem in the repository (as of r3311).
Regards,
On 29 Nov 2013, at 13:25 pm, Glenn Wearen <glenn....@heanet.ie> wrote:
> HI,
> I've added 'saml:NameIDPolicy' => 'persistent' to my authsouces.php file, I expected that this would add <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> expected to the metadata generated from http://host/path/module.php/saml/sp/metadata.php/default-sp
>
> If I'm wrong in my understanding, perhaps there's another way to achieve this?
Fortunately, it’s something very easy to fix indeed, so I’ve just solved the problem in the repository (as of r3311).
Regards,
Reply all
Reply to author
Forward
0 new messages