NameID is transient instead of persistent
137 views
Skip to first unread message
Beth Miller
Jun 20, 2024, 6:01:29 PM6/20/24
to SimpleSAMLphp
We recently upgraded from version 1.18 to 2.2.2 and users are reporting that they can no longer SSO from my site to our partner site. After running a trace, I can see the NameID which originally passed in the employeeID is now returning a random string.
The working assertion is:
<saml:Subject>
<saml:NameID SPNameQualifier="https://ourpartner.com/sso/auth.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">123456</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2024-06-20T09:55:37Z" Recipient="https://ourpartner.com/sso/auth.php" />
</saml:SubjectConfirmation>
</saml:Subject>
Now we are seeing the following:
<saml:Subject>
<saml:NameID SPNameQualifier="https://ourpartner.com/sso/auth.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >_bcd2b9f452e891fd188f0f7590cd8a965fb560305a</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotBefore="2024-06-20T09:52:41Z" NotOnOrAfter="2024-06-20T09:57:41Z" Recipient="https://ourpartner.com/sso/auth.php" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:NameID SPNameQualifier="https://ourpartner.com/sso/auth.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">123456</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2024-06-20T09:55:37Z" Recipient="https://ourpartner.com/sso/auth.php" />
</saml:SubjectConfirmation>
</saml:Subject>
Now we are seeing the following:
<saml:Subject>
<saml:NameID SPNameQualifier="https://ourpartner.com/sso/auth.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >_bcd2b9f452e891fd188f0f7590cd8a965fb560305a</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotBefore="2024-06-20T09:52:41Z" NotOnOrAfter="2024-06-20T09:57:41Z" Recipient="https://ourpartner.com/sso/auth.php" />
</saml:SubjectConfirmation>
</saml:Subject>
The configuration in saml20-sp-remote.php is:
$metadata['https://ourpartner.com/sso/auth.php'] = array (
'entityid' => 'https://ourpartner.com/sso/auth.php',
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://ourpartner.com/sso/auth.php',
),
),
'attributes' => array(
'firstname',
'surname',
'employeeid',
'emailaddress',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'employeeid',
'certificate' => 'ourcert.crt',
);
$metadata['https://ourpartner.com/sso/auth.php'] = array (
'entityid' => 'https://ourpartner.com/sso/auth.php',
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://ourpartner.com/sso/auth.php',
),
),
'attributes' => array(
'firstname',
'surname',
'employeeid',
'emailaddress',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'employeeid',
'certificate' => 'ourcert.crt',
);
I tried adding the following authproc but to no avail.
'authproc' => array(
1 => array(
'class' => 'saml:PersistentNameID',
'attribute' => 'employeeid',
),
2 => array(
'class' => 'saml:AttributeNameID',
'attribute' => 'employeeid',
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
),
),
1 => array(
'class' => 'saml:PersistentNameID',
'attribute' => 'employeeid',
),
2 => array(
'class' => 'saml:AttributeNameID',
'attribute' => 'employeeid',
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
),
),
Any idea why the NameID is showing as transient and not persistent?
Thanks.
Seth Linn
Jul 1, 2024, 8:06:24 AM7/1/24
to SimpleSAMLphp
Hello Beth,
Did you ever figure this out? I also see this in my log file
NOTICE [f47454bd97] Requested NameID of format 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', but can only provide transient
INFO [f47454bd97] Setting NameID to ('urn:oasis:names:tc:SAML:2.0:nameid-format:transient', '_13dfcb4fa414bb09510f3e66571126cf7ac01b76c2', 'https://auth.libis.be/realms/LIBIS')
Peter Schober
Jul 1, 2024, 8:25:59 AM7/1/24
to simple...@googlegroups.com
Beth Miller <beth.mill...@gmail.com> [2024-06-21 00:01 CEST]:
https://simplesamlphp.org/docs/stable/saml/nameid.html
There both saml:AttributeNameID and saml:PersistentNameID are
documented to use a parameter called 'identifyingAttribute' which you
don't have above. So try that instead of the 'attribute' parameter.
Also, saml:PersistentNameID is documented to "hash [the value] with
the secretsalt from config.php" so that will never give you the result
needed for your use-case (even if your use-case is probably in
violation of the SAML specification in this regard[1]).
I.e., don't use saml:PersistentNameID for this, only use
saml:AttributeNameID.
-peter
[1] Persistent name identifiers generated by identity providers MUST
be constructed using values that have no discernible correspondence
with the subject's actual identity (for example, username).
[...]
The intent is to create a non- public, pair-wise pseudonym to prevent
the discovery of the subject's identity or activities
> I tried adding the following authproc but to no avail.
>
> 'authproc' => array(
> 1 => array(
> 'class' => 'saml:PersistentNameID',
> 'attribute' => 'employeeid',
> ),
> 2 => array(
> 'class' => 'saml:AttributeNameID',
> 'attribute' => 'employeeid',
> 'Format' =>
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
> ),
> ),
The above does not look like the examples from the documentation:
>
> 'authproc' => array(
> 1 => array(
> 'class' => 'saml:PersistentNameID',
> 'attribute' => 'employeeid',
> ),
> 2 => array(
> 'class' => 'saml:AttributeNameID',
> 'attribute' => 'employeeid',
> 'Format' =>
> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
> ),
> ),
https://simplesamlphp.org/docs/stable/saml/nameid.html
There both saml:AttributeNameID and saml:PersistentNameID are
documented to use a parameter called 'identifyingAttribute' which you
don't have above. So try that instead of the 'attribute' parameter.
Also, saml:PersistentNameID is documented to "hash [the value] with
the secretsalt from config.php" so that will never give you the result
needed for your use-case (even if your use-case is probably in
violation of the SAML specification in this regard[1]).
I.e., don't use saml:PersistentNameID for this, only use
saml:AttributeNameID.
-peter
[1] Persistent name identifiers generated by identity providers MUST
be constructed using values that have no discernible correspondence
with the subject's actual identity (for example, username).
[...]
The intent is to create a non- public, pair-wise pseudonym to prevent
the discovery of the subject's identity or activities
Beth Miller
Jul 2, 2024, 7:42:31 AM7/2/24
to SimpleSAMLphp
Hi Peter,
'class' => 'saml:AttributeNameID',
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
),
),
You are correct. The following worked replacing the authproc in my original message.
'authproc' => array(
20 => array(
20 => array(
'class' => 'saml:AttributeNameID',
'identifyingAttribute' => 'employeeid',
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
),
),
Beth
Beth Miller
Jul 2, 2024, 7:42:34 AM7/2/24
to SimpleSAMLphp
Hi Seth,
'class' => 'saml:AttributeNameID',
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
),
),
'attributes' => array(
'firstname',
'surname',
'employeeid',
'emailaddress',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
Yes, I got it working. Here is my saml20-sp-remote.php with the authproc highlighted.
$metadata['https://ourpartner.com/sso/auth.php'] = array (
'entityid' => 'https://ourpartner.com/sso/auth.php',
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://ourpartner.com/sso/auth.php',
),
),
'entityid' => 'https://ourpartner.com/sso/auth.php',
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://ourpartner.com/sso/auth.php',
),
),
'authproc' => array(
20 => array(
20 => array(
'class' => 'saml:AttributeNameID',
'identifyingAttribute' => 'employeeid',
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
),
),
'attributes' => array(
'firstname',
'surname',
'employeeid',
'emailaddress',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'certificate' => 'ourcert.crt',
);
);
Hope this helps.
Beth
Seth Linn
Jul 5, 2024, 8:57:28 AM7/5/24
to SimpleSAMLphp
Hey Beth, this worked great! Big thanks!
Reply all
Reply to author
Forward
0 new messages