SAML 2.0 IdP PersistentNameID

[Alice Vixie]

Hi,

   I've been running IdP SAML2.0 and now I am required to get to my metadata

      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

   Following http://simplesamlphp.org/docs/stable/saml:nameid I added to my 1.11.0 config.php , section 'authproc.idp' => array( :

                76 => array(

                  'class' => 'saml:PersistentNameID',

                  'attribute' => 'generationalQualifier',

                ),

and later also

                // Storing persistent NameIDs in a SQL database

                77 => array(

                  'class' => 'saml:SQLPersistentNameID',

                  'attribute' => 'generationalQualifier',

                ),

just expecting to see it in IdP's new metadata ... which didn't occur.

Confused by http://simplesamlphp.org/docs/1.5/simplesamlphp-authproc I've tried to add 'authproc' section to metadata/saml20-idp-hosted.php , but that didn't help either...

What am I missing? Could you guys send me some working example of a complex config.php please so I can compare what's wrong here?

Thank you in advance

[Peter Schober]

* Alice Vixie <id81...@gmail.com> [2013-12-05 10:31]:

> I've been running IdP SAML2.0 and now I am required to get to my metadata

I've tried to answer that in the other thread.
-peter

[Alice Vixie]

Dne čtvrtek, 5. prosince 2013 10:55:17 UTC+1 Peter Schober napsal(a):

Sorry, I've tried hard, but couldn't find it. Please, please, could you direct me?

[Peter Schober]

* Alice Vixie <id81...@gmail.com> [2014-07-17 16:32]:

> Dne čtvrtek, 5. prosince 2013 10:55:17 UTC+1 Peter Schober napsal(a):

> > * Alice Vixie <id81...@gmail.com <javascript:>> [2013-12-05 10:31]:

> > > I've been running IdP SAML2.0 and now I am required to get to my
> > metadata
> >
> > I've tried to answer that in the other thread.
>

> Sorry, I've tried hard, but couldn't find it. Please, please, could
> you direct me?

You expect me to know about the exact thread half a year later?
I'd have to look it up, pretty much like everyone else would have to.
(And yes, next time I will put in a reference to the archives right
away.)
-peter

[Peter Schober]

* Peter Schober <peter....@univie.ac.at> [2014-07-17 16:39]:

> > Dne čtvrtek, 5. prosince 2013 10:55:17 UTC+1 Peter Schober napsal(a):

> > > I've tried to answer that in the other thread.
> >
> > Sorry, I've tried hard, but couldn't find it. Please, please, could
> > you direct me?
>
> You expect me to know about the exact thread half a year later?
> I'd have to look it up, pretty much like everyone else would have to.
> (And yes, next time I will put in a reference to the archives right
> away.)

There, I dug up the old thread were you asked the same qustion in two
different threads and I only aswered what I knew in one of them (Brook
gave you the answer and Jaime patched the code):
https://groups.google.com/d/msg/simplesamlphp/1hdM57fIJug/t8EBuBC4d8UJ

More to the point, here's the documentation that didn't exist back
then, look for "NameIDFormat":
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted

-peter

[Jaime Pérez Crespo]

Hi,

Just a couple of comments apart from what Peter already said.

On 05 Dec 2013, at 10:30 am, Alice Vixie <id81...@gmail.com> wrote:
> Following http://simplesamlphp.org/docs/stable/saml:nameid I added to my 1.11.0 config.php , section 'authproc.idp' => array( :

1.12.0’s been out since March. There’s even a release candidate for 1.13.0. You should update.

> Confused by http://simplesamlphp.org/docs/1.5/simplesamlphp-authproc I've tried to add 'authproc' section to metadata/saml20-idp-hosted.php , but that didn't help either…

No wonder why you are confused. You are looking at the documentation for SimpleSAMLphp 1.5, which was released in 2009. I wouldn’t expect documentation almost 5 years old to be relevant for modern versions.

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Alice Vixie]

Sorry for annoying again, but I still am not getting there...

I am now on 1.12.

Now I can get

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>

but the transient disappeared. I am asked to present both.

My config.php :

                74 => array(

                  'class' => 'saml:AttributeNameID',

                  'attribute' => 'persistent',

                  'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

                ),

                75 => array(

                  'class' => 'saml:AttributeNameID',

                  'attribute' => 'transient',

                  'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',

                ),

                // TransientNameID

                76 => array(

                  'class' => 'saml:TransientNameID',

                ),

                // PersistentNameID

                77 => array(

                  'class' => 'saml:PersistentNameID',

                  'attribute' => 'generationalQualifier',

                  'nameId' => TRUE,

                ),

                // Storing persistent NameIDs in a SQL database

                78 => array(

                  'class' => 'saml:SQLPersistentNameID',

                  'attribute' => 'generationalQualifier',

                ),

                // Add the persistent to the eduPersonTargetedID attribute

                79 => array(

                  'class' => 'saml:PersistentNameID2TargetedID',

                  'attribute' => 'generationalQualifier', // The default

                  'nameId' => TRUE, // The default

                ),

In my saml20-idp-hosted.php there is also

        'NameIDFormat' =>

            'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

I think I'd need something like

 'NameIDFormat' => array(

   'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

   'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'

  );

but that produces

[Fri Jul 18 10:51:10 2014] [error] [client 195.113.106.149] PHP Parse error:  syntax error, unexpected ';', expecting ')' in /var/simplesamlphp-1.12.0/metadata/saml20-idp-hosted.php on line 80, referer: https://idp.osu.cz/simplesaml/module.php/core/frontpage_federation.php

Any help please ... again ...? 

 

[Alice Vixie]

 Oops, actually the error is The option 'NameIDFormat' is not a valid string value. but it doesn't matter... 

[Alice Vixie]

In other words: when there isn't the NameIDFormat, I get only <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> .

When there is NameIDFormat, I get only <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> .

I am asked to have both.

[Peter Schober]

* Alice Vixie <id81...@gmail.com> [2014-07-18 11:59]:
> I am asked to have *both*.

You can't have more than one NameID in the Subject of the same
assertion. The SAML spec should be clear about this.

You could have one NameID in the assertion's subject (the transient
one) and stick the other NameID (the persistent one) in the
eduPersonTargetedID attribute (which has a NameID as its value
defined).
I doubt that's what "they" want but that's the only way you could
claim correctly to be sending them two NameIDs (one in the assertion's
Subject, the other as an attribute in the attribute statement).
-peter

[Alice Vixie]

Dne pátek, 18. července 2014 12:30:56 UTC+2 Peter Schober napsal(a):

* Alice Vixie <id81...@gmail.com> [2014-07-18 11:59]:
> I am asked to have *both*.

You can't have more than one NameID in the Subject of the same
assertion. The SAML spec should be clear about this.

The Czech EduID Federation administrator insists on both pointing to their rules:

1. at least one md:NameIDFormat
   • at least one md:NameIDFormat must be urn:oasis:names:tc:SAML:2.0:nameid-format:transient
   • at least one md:NameIDFormat should be urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, it is strogly advised to support persistent NameIDFormat

[Peter Schober]

* Alice Vixie <id81...@gmail.com> [2014-07-18 12:44]:

> > You can't have more than one NameID in the Subject of the same
> > assertion. The SAML spec should be clear about this.
>

> The Czech EduID Federation administrator insists on *both* pointing to their
> rules <https://www.eduid.cz/cs/tech/metadata-profile>:
>
> 1. at least one md:NameIDFormat
> - at least one md:NameIDFormat must be

> urn:oasis:names:tc:SAML:2.0:nameid-format:transient

> - at least one md:NameIDFormat should be

> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, it is strogly
> advised to support persistent NameIDFormat

Ah OK, this is /still/ about making SimpleSAMLphp produce SAML
*metadata* that states that publicly announces you can produce certain
NameID types.
If you follow the documentation we now have thoroughly pointed you
to, try making the value an array, with both values in it.
-peter

[Peter Schober]

* Alice Vixie <id81...@gmail.com> [2014-07-18 12:44]:

> The Czech EduID Federation administrator insists on *both* pointing
> to their rules <https://www.eduid.cz/cs/tech/metadata-profile>:

And no, they don't:

> - at least one md:NameIDFormat must be

> urn:oasis:names:tc:SAML:2.0:nameid-format:transient

"must"

> - at least one md:NameIDFormat should be

> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, it is strogly
> advised to support persistent NameIDFormat

"should", that's not insisting you must.

And the reason why they don't insist on having both is not at all
about putting that single line of text into your SAML metadata
(something you seem to be struggling with for over 6 months now?), the
issue is what it takes to support persistent NameIDs *properly* in a
given IDP deployment (so that e.g. should a local
username/userid/netid change you'd still able to issue the same NameID
to all SPs as before, isolating them from that local change).
That's something outside SAML and outside SSP, which is why it's hard
to mandate it (insist that people implement and announce support for
it).
-peter

[Peter Schober]

* Alice Vixie <id81...@gmail.com> [2014-07-18 10:58]:

> Sorry for annoying again, but I still am not getting there...
>
> I am now on 1.12.
>
> Now I can get
>

> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:*persistent*</md:NameIDFormat>

>
> but the transient disappeared. I am asked to present both.

Sorry, I wasn't aware this still was about announcing support in
metadata.

As to your config I don't know whether that is all required and
whether it would work, I'll leave that to someone else to comment on.
Except for this:

> In my saml20-idp-hosted.php there is also
>
> 'NameIDFormat' =>
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
>
> I think I'd need something like
>
> 'NameIDFormat' => array(
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
> );
>
> but that produces
> [Fri Jul 18 10:51:10 2014] [error] [client 195.113.106.149] PHP Parse
> error: syntax error, unexpected ';', expecting ')' in
> /var/simplesamlphp-1.12.0/metadata/saml20-idp-hosted.php on line 80,

All of SimpleSAMLphp's config is PHP code, so this is not about
SimpleSAMLphp not supporting something, it's because you've put a
semicolon where a comma should have been (i.e., simply invalid PHP by
ending a statement too early), in the middle of an array.
-peter

[Alice Vixie]

Dne pátek, 18. července 2014 12:57:48 UTC+2 Peter Schober napsal(a):

* Alice Vixie <id81...@gmail.com> [2014-07-18 12:44]:
> The Czech EduID Federation administrator insists on *both* pointing

...

"should", that's not insisting you must.

Well, this is not about the rules per se, it is personally about Mr. Jan Tomášek, the guy in charge of eduID, who does... literally:

At first he wrote to me on Nov 25, 2013:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent is very recommended and I always want an explanation why does not support IdP this format

But, after I did configure completely this feature (which obviously made nameid-format:transient disappear the metadata) he responded on Feb 11, 2014:

In order to put you to eduID.cz you have to also add support for urn:oasis:names:tc:SAML:2.0:nameid-format:transient with respect to http://saml2int.org/profile/current

Thus my conclusion is that he wants to see both persistent and transient explicitly in metadata and that's why I am discussing this.

 it's because you've put a 
semicolon where a comma should have been (i.e., simply invalid PHP by 
ending a statement too early), in the middle of an array. 

Yes, I've spotted that a few minutes later, but that didn't help either.

I am not sure... can I afford actually just add the transient line to metadata with a text editor, knowing that the IdP actually supports both?

thx

[Alice Vixie]

errata:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent is very recommended and I always want an explanation why IdP does not support this format

[Peter Schober]

* Alice Vixie <id81...@gmail.com> [2014-07-18 15:29]:
> Well, this is not about the *rules* per se, it is personally about
> Mr. *Jan Tomášek*, the guy in charge of eduID, who does... literally:

If there's a federation managing your SAML metadata on your behalf all
of this (how to make SimpleSAMLphp add something to the auto-generated
SAML metadata) is really irrelevant. Just add whatever you want to
the SAML metadata in a text editor and send it to eduID.cz via
whatever method they support.
eduID.cz will then have the authoriative copy of your IDP metadata and
whenever someone asks you for your metadata to point them to eduID.cz.
-peter

[Jaime Pérez Crespo]

Hi Alice,

On 18 Jul 2014, at 15:29 pm, Alice Vixie <id81...@gmail.com> wrote:
> Well, this is not about the rules per se, it is personally about Mr. Jan Tomášek, the guy in charge of eduID, who does... literally:
>
> At first he wrote to me on Nov 25, 2013:
>
>> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent is very recommended and I always want an explanation why does not support IdP this format

That doesn’t mean it’s mandatory. It is not, according the standard and the rules for eduID. The only thing he’s saying is that persistent name identifiers are a good thing to have, and therefore they are pushing IdPs to provide them. But that doesn’t mean you *have to*, you could perfectly argue a reason why it’s not possible for you to provide persistent name IDs.

> But, after I did configure completely this feature (which obviously made nameid-format:transient disappear the metadata) he responded on Feb 11, 2014:

SimpleSAMLphp does not currently support specifying more than one name ID format. You can submit an issue to the issue tracker (1) to ask for this feature, as it should be fairly simple.

>> In order to put you to eduID.cz you have to also add support for urn:oasis:names:tc:SAML:2.0:nameid-format:transient with respect to http://saml2int.org/profile/current
>
> Thus my conclusion is that he wants to see both persistent and transient explicitly in metadata and that's why I am discussing this.

Not really. They ask for transient format as a must, and persistent format as a should, which is not the same as “must”. A very good reason for you to tell that you do not support persistent name identifiers is that the software you are using does not (currently) allow you to specify support for both.

> I am not sure... can I afford actually just add the transient line to metadata with a text editor, knowing that the IdP actually supports both?

The IdP will support it, if you configure it to support it (2). Remember that you don’t need to configure all the filters in there, just the ones you want. Therefore, if you want to add the line manually to get rid of the problem, you can, of course. However, you would be unable to sign the metadata then (unless you do sign it manually).

Honestly, I’d be quite surprised that they are strict with this requirement, as that would mean that no identity providers in the Czech federation would be able to use SimpleSAMLphp (as of now).

Have a nice weekend,

(1) https://github.com/simplesamlphp/simplesamlphp/issues
(2) https://simplesamlphp.org/docs/stable/saml:nameid