Attributes Name Format set not consistent
507 views
Skip to first unread message
Chris
Sep 26, 2012, 6:51:17 PM9/26/12
to simple...@googlegroups.com
I am currently attempting to configure a working SimpleSamlphp IDP to a SAML 2.0 SP based on the OIOSAML.Net framework. I'm running into an issue where the SP is throwing me an error: "
The DK-SAML 2.0 profile requires that an attribute's "Name" is an URI"
I assume that this was because I had set the NameFormat for the IDP attributes to: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
I have switched over to: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
Also, I enabled in my IDP config:
'authproc.idp' => array(
/* Enable the authproc filter below to add URN Prefixces to all attributes*/
10 => array(
'class' => 'core:AttributeMap', 'addurnprefix'
),
First question:
When I switch these settings, why don't my attribute names get prefixed? My response statement comes back as so:
<saml:AttributeStatement>
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">9</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">mmsadmin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="password" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">5f4dcc3b5aa765d61d8327deb882cf99</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">m...@admin.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">mms-admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="uuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">4fc50d84-abfc-4401-babf-bc82147402e8</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="fname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">MMS</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="lname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Admin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Next, I enabled the following in IDP hosted file to get the oid names.
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
Question:
When receiving my response from the IDP with these settings in place, only 2 of the attributes have modified names. See new response:
<saml:AttributeStatement>
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">mmsadmin</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="password" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">5f4dcc3b5aa765d61d8327deb882cf99</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">mms-admin</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="uuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">4fc50d84-abfc-4401-babf-bc82147402e8</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="fname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">MMS</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="lname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">Admin</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">9</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">m...@admin.com</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement>
Why were only the 'uid' and 'email' attribute names converted? Is there something I'm missing as far as configuring this?
Thanks,
Chris
Peter Schober
Sep 27, 2012, 6:42:35 AM9/27/12
to simple...@googlegroups.com
* Chris <chris....@gmail.com> [2012-09-27 00:51]:
-peter
> Why were only the 'uid' and 'email' attribute names converted? Is there
> something I'm missing as far as configuring this?
Do the others have entries in the attribute map you're using?
> something I'm missing as far as configuring this?
-peter
Chris
Sep 27, 2012, 10:04:38 AM9/27/12
to simple...@googlegroups.com, peter....@univie.ac.at
First of all, sorry for my ignorance if some of this is obvious. I'm fairly new to SAML, so I'm picking it up as I go along.
I don't believe I have a defined attribute map. My IDP config in IDP hosted simply includes an authproc option to use the name2oid mapping for the attributes. I don't have a map file or I also don't specifically list out the attributes in the authprocs.
I have attached both my IDP config.php file and IDP saml20-idp-hosted.php file. Could these be reviewed to see if I am missing a specific config item that would affect the returned attributes?
Thanks,
Chris
Peter Schober
Sep 27, 2012, 11:45:17 AM9/27/12
to simple...@googlegroups.com
* Chris <chris....@gmail.com> [2012-09-27 16:04]:
maps (files in simplesamlphp/attributemap/ -- look at them now) which
can change the name format for specifc, known attributes.
They cannot do anything for any other attribute name (not listed in
those files).
From your list of attributes e.g. name2oid only has entires for 'uid'
and 'mail' (which should match your experience just fine), but no
entries for username, uuid, password, fname, lname, role.
And of course I also need to add something about the relying party or
service never seeing the user's password being one of the great things
about SAML and identity federation. So, don't send the user's password
as an attribute. Ever. There's almost always a better alternative.
-peter
> I don't believe I have a defined attribute map. My IDP config in IDP
> hosted simply includes an authproc option to use the name2oid
> mapping for the attributes. I don't have a map file or I also don't
> specifically list out the attributes in the authprocs.
There's nothing magic about all that: There are existing attribute
> hosted simply includes an authproc option to use the name2oid
> mapping for the attributes. I don't have a map file or I also don't
> specifically list out the attributes in the authprocs.
maps (files in simplesamlphp/attributemap/ -- look at them now) which
can change the name format for specifc, known attributes.
They cannot do anything for any other attribute name (not listed in
those files).
From your list of attributes e.g. name2oid only has entires for 'uid'
and 'mail' (which should match your experience just fine), but no
entries for username, uuid, password, fname, lname, role.
And of course I also need to add something about the relying party or
service never seeing the user's password being one of the great things
about SAML and identity federation. So, don't send the user's password
as an attribute. Ever. There's almost always a better alternative.
-peter
Chris
Sep 27, 2012, 12:18:45 PM9/27/12
to simple...@googlegroups.com, peter....@univie.ac.at
Thanks very much. I appreciate your feedback.
Reply all
Reply to author
Forward
0 new messages