Tenable SimpleSAMLphp not recognizing attribute, NameID transient

[F Lengyel]

I'm working with a group that has upgraded from Tenable vbersion 5.19.1 to Tenable 5.20.

The Tenable SAML SP requests a NameID format of transient and ignores the attribute we set in the GUI configuration for the Tenable SAML SP. 

I have configured the IDP to send 

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 

provided that the SP requests this in the AuthRequest, however, the SP

only requests a NameID format of 

urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

Moreover, the Tenable SP uses the value of the transient NameID to identify users, instead of the attribute we configured and that the IDP sends. 

The prior version of the software accepted the   Username Attribute that we set in the SAML configuration GUI. 

The question is how to get Tenable's SimpleSAMLphp SP to either recognize the Usename Attribute that we set in the GUI, or else request an emailAddress nameID format. 

We attempted to modify 

/sc/support/SimpleSAMLphp/etc/config/authsources-custom.php

with

NameIDPolicy => [ 'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', 'AllowCreate' => true ],

 but this caused an error.

Thanks.

[pra...@gmail.com]

I think you will have to reach out to Tenable's support to ask them how to change what Tenable is requesting.

If you are using SimpleSAMLphp as your IdP then you can force which NameID to use. I think (per https://simplesamlphp.org/docs/development/simplesamlphp-reference-sp-remote) you would edit the SP metadata for Tenable to specify the NameIDFormat and follow the suggested tips about setting a NameID (https://simplesamlphp.org/docs/development/saml:nameid).

- Patrick

[F Lengyel]

Thanks for your reply. We're using Shibboleth IDP version 4.0.1. The Tenable 

SP sends authNrequests to Shibboleth requesting the transient nameID format. That would be ok if the Tenable SP recognized the username attribute we send, which it receives, but doesn't use, despite our configuration in the GUI. We're interested in getting the SP to recognize the attributes we send, or in configuring it to request another NameID format, assuming that's what it can work with (in stark contrast to the preceding versions that required no intervention).

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simplesamlphp/867f9ec0-5958-49d0-b9bb-99ca8e696dfbn%40googlegroups.com.

--

F Lengyel