simpleSAMLphp IdP + eduPersonTargetedID attribute + Shibboleth SP = fail

828 views
Skip to first unread message

Marco Malavolti

unread,
Dec 29, 2013, 10:24:08 AM12/29/13
to simple...@googlegroups.com

Hi to all,

in the previous few days I've started my knowledge on simpleSAMLphp and, on the first SSP IdP installation (configured with the ldap:LDAP authsource), I encountered this problem.

I test the release of attributes of my new SSP IdP with a Shibboleth SP and only eduPersonTargetedID is not recognized:

Shib SP Log:

2013-12-29 14:50:02 DEBUG Shibboleth.AttributeDecoder.NameID [4]: decoding NameIDAttribute (persistent-id) from SAML 2 Attribute (urn:oid:1.3.6.1.4.1.5923.1.1.1.10) with 1 value(s)

2013-12-29 14:50:02 WARN Shibboleth.AttributeDecoder.NameID [4]: AttributeValue was not of a supported type and contains no child elements

2013-12-29 14:50:02 INFO Shibboleth.AttributeExtractor.XML [4]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.10

SSP IdP Log:

Dec 29 14:50:02 simplesamlphp DEBUG [3f05438bbf]       <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

Dec 29 14:50:02 simplesamlphp DEBUG [3f05438bbf]         <saml:AttributeValue xsi:type="xs:string">&lt;saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameQualifier="https://sspidp.example.it/simplesaml/saml2/idp/metadata.php" SPNameQualifier="https://shibsp.exampleit/shibboleth" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"&gt;e1a94be90cbbd71a5419d4805772ea1395eaf39d&lt;/saml:NameID&gt;</saml:AttributeValue>

Dec 29 14:50:02 simplesamlphp DEBUG [3f05438bbf]       </saml:Attribute>


SSP IdP authproc.idp on config.php:

   'authproc.idp' => array(

      /* Enable the authproc filter below to automatically generated eduPersonTargetedID. */

      20 => array(

            'class' => 'core:TargetedID',

            'nameId' => TRUE,

        ),

      // Adopts language from attribute to use in UI

      30 => 'core:LanguageAdaptor',

      /* When called without parameters, it will fallback to filter attributes ‹the old way›

       * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote.

       */

      50 => 'core:AttributeLimit',

      /*

       * Consent module is enabled (with no permanent storage, using cookies).

      */

      90 => array(

         'class'  => 'consent:Consent',

         'store'  => 'consent:Cookie',

         'focus'  => 'yes',

         'checked'   => FALSE

      ),

      // If language is set in Consent module it will be added as an attribute.

      99 => 'core:LanguageAdaptor',

      // Convert LDAP names to oids.

      100 => array('class' => 'core:AttributeMap', 'name2oid'),

   ),

   'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',

   'attributeencodings' => array(

                   'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw',

   ),


What's wrong?

Is it possible that this AttributeValue, product by my SSP IdP, is wrong because its content is not well formed for Shibboleth SP ?

(I have changed all the VM's fqdns for a better comprehension)


 <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

<saml:AttributeValue xsi:type="xs:string">

&lt;saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameQualifier="https://sspidp.example.it/simplesaml/saml2/idp/metadata.php

SPNameQualifier="https://shibsp.example.it/shibboleth

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"&gt;e1a94be90cbbd71a5419d4805772ea1395eaf39d&lt;/saml:NameID&gt;

</saml:AttributeValue>

</saml:Attribute>


Correct recognize eduPersonTargetedID on a Shibboleth SP:

<saml2:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

<saml2:AttributeValue>

<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 

      NameQualifier="https://shibidp.example.it/idp/shibboleth

      SPNameQualifier="https://shibsp.example.it/shibboleth">3f037971-43ea-4676-a73d-85896ca742a5</saml2:NameID>

</saml2:AttributeValue>

</saml2:Attribute>


Can somebody help me, please? I have read multiple times the simpleSAMLphp documentation and other similar questions on the web, but I not found the solution to my problem.

All your help will be appreciate. Thank you so much!


Best Regards and Happy New Year!

Marco

Peter Schober

unread,
Jan 2, 2014, 7:52:28 AM1/2/14
to simple...@googlegroups.com
* Marco Malavolti <marco.m...@gmail.com> [2014-01-01 19:39]:
> Dec 29 14:50:02 simplesamlphp DEBUG [3f05438bbf] <saml:Attribute
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>
> Dec 29 14:50:02 simplesamlphp DEBUG [3f05438bbf]
> <saml:AttributeValue xsi:type="xs:string">&lt;saml:NameID
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> NameQualifier="https://sspidp.example.it/simplesaml/saml2/idp/metadata.php"
> SPNameQualifier="https://shibsp.exampleit/shibboleth"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"&gt;e1a94be90cbbd71a5419d4805772ea1395eaf39d&lt;/saml:NameID&gt;</saml:AttributeValue>

I haven't seen that error in a while (maybe check the archives) but
obviously the NameFormat is wrong: The value of that attribute is an
XML element, not a string as above. You can see the entity references
("&lt;") instead of "<saml:NameID ...".
-peter

Marco Malavolti

unread,
Jan 2, 2014, 9:55:42 AM1/2/14
to simple...@googlegroups.com
I have followed the example of authproc for releasing the eduPersonTargetedID attribute for Internet2 in this documentation:

http://simplesamlphp.org/docs/1.11/core:authproc_targetedid

Is there a problem into simpleSAMLphp code?

What can I do to release a correct eduPersonTargetedID value?

Thank you so much!

Cheers,
Marco



2014/1/2 Peter Schober <peter....@univie.ac.at>

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.



--
Ciao Ciao,

MaLa

Marco Malavolti

unread,
Jan 3, 2014, 6:08:00 AM1/3/14
to simple...@googlegroups.com
Hi to all,

the solution to this problem was found in the simpleSAMLphp list's archive and it is:

[Cit. Olav Morken]
   The NameID cannot currently be shown in the consent page, as it is 
   an XML-attribute. The simplest solution is to move the core:TargetedID 
   filter to run after consent.

So, my SSP IdP authproc.idp on config.php, or saml20-idp-hosted.php & shib13-idp-hosted.php, have been changed to:

   'authproc.idp' => array(


      /* Enable the authproc filter below to automatically generated eduPersonTargetedID. 

  This feature MUST have a higher priority of the consent module*/


      95 => array(

   ),


And now the eduPersonTargetedID (alias: persistent-id) is released correctly!

I hope this thread will be useful for other guys.

Best Regards,
Marco


Peter Schober

unread,
Jan 3, 2014, 1:38:54 PM1/3/14
to simple...@googlegroups.com
* Marco Malavolti <marco.m...@gmail.com> [2014-01-03 12:08]:
> the solution to this problem was found in the simpleSAMLphp list's archive and it is:
>
> [Cit. Olav Morken]
> The NameID cannot currently be shown in the consent page, as it is
> an XML-attribute. The simplest solution is to move the core:TargetedID
> filter to run after consent.

I don't see what this has to do with the problem you asked about,
which (1) had nothing to do with consent and (b) clearly had the wrong
NameFormat in the logged assertion. Anyway, glad you got it to work.
-peter
Reply all
Reply to author
Forward
0 new messages