can't change saml:NameID
524 views
Skip to first unread message
Jason Haar
Dec 11, 2012, 5:12:46 PM12/11/12
to simple...@googlegroups.com
Hi there
I'm trying to use SSP as an IdP with box.net as a SP and they require the email address to be in the Subject field - ie saml:NameID. By default SSP only has a saml:TransientNameID in there.
I have tried adding the following to the metadata entry in saml20-sp-remote.php
'simplesaml.nameidattribute' => 'mail',
'authproc' => array(
1 => array(
'class' => 'saml:TransientNameID',
),
2 => array(
'class' => 'saml:AttributeNameID',
'attribute' => 'mail',
'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
);
...but the "SAML tracer" extension in Firefox shows that doesn't change anything - only the TransientNameID is sent. I also used core:AttributeMap to remap a different attribute name and that worked fine - so my "authproc foo" is basically working - but doesn't seem to work for NameID?
If it matters, this is SSP-1.10.0 with a home-grown auth login based on modules/exampleauth - but I don't think anything in there fiddles with such SAML fundamentals?
Thanks
Jason
I'm trying to use SSP as an IdP with box.net as a SP and they require the email address to be in the Subject field - ie saml:NameID. By default SSP only has a saml:TransientNameID in there.
I have tried adding the following to the metadata entry in saml20-sp-remote.php
'simplesaml.nameidattribute' => 'mail',
'authproc' => array(
1 => array(
'class' => 'saml:TransientNameID',
),
2 => array(
'class' => 'saml:AttributeNameID',
'attribute' => 'mail',
'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
);
...but the "SAML tracer" extension in Firefox shows that doesn't change anything - only the TransientNameID is sent. I also used core:AttributeMap to remap a different attribute name and that worked fine - so my "authproc foo" is basically working - but doesn't seem to work for NameID?
If it matters, this is SSP-1.10.0 with a home-grown auth login based on modules/exampleauth - but I don't think anything in there fiddles with such SAML fundamentals?
Thanks
Jason
Ian Webb
Dec 11, 2012, 5:57:37 PM12/11/12
to simple...@googlegroups.com
Hi Jason,
This is configured in saml20-idp-hosted.php. Add the following to your
IDP metadata:
'userid.attribute' => 'emailaddress',
Cheers,
Ian
> --
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/simplesamlphp/-/XfT9VlH2gPsJ.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to
> simplesamlph...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/simplesamlphp?hl=en.
This is configured in saml20-idp-hosted.php. Add the following to your
IDP metadata:
'userid.attribute' => 'emailaddress',
Cheers,
Ian
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/simplesamlphp/-/XfT9VlH2gPsJ.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to
> simplesamlph...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/simplesamlphp?hl=en.
Jason Haar
Dec 11, 2012, 6:22:38 PM12/11/12
to simple...@googlegroups.com
Almost, that now declares the nameid is the email address - but it still sends the random string
i.e. here's what FF "SAML tracer" shows is sent to box.net
Thanks!
Jason
i.e. here's what FF "SAML tracer" shows is sent to box.net
<saml:Subject>
<saml:NameID SPNameQualifier="box.net"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
>072ca4bdb03028884f7497a18d3c67bc3a6608a5</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2012-12-11T23:20:57Z"
Recipient="https://sso.services.box.net/sp/ACS.saml2"
InResponseTo="qZPktNNywVsZY5YAp8.iJ1ajWYq"
/>
</saml:SubjectConfirmation>
</saml:Subject>Thanks!
Jason
Ian Webb
Dec 11, 2012, 9:14:42 PM12/11/12
to simple...@googlegroups.com
Hmm, that's odd. I actually have box.net as an SP as well, and I was
assuming that my setup would work for you too - but on looking closely
at the actual SAML response sent to box.net by my IdP, I'm still
sending the transient format tag and it works fine. (It is a big long
random string too, not the email address. Now I'm wondering why my IdP
is ignoring the nameid = email directive in my saml20-idp-hosted.php..
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">*****</saml:NameID>
Recipient="https://sso.services.box.net/sp/ACS.saml2"
InResponseTo="*****"/>
</saml:SubjectConfirmation>
</saml:Subject>
Later in the response I send the following and they key off of that;
<saml:Attribute Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">*****</saml:AttributeValue>
</saml:Attribute>
As for the actual question, I look forward to hearing the definitive
answer from one of the list's resident experts; in the meantime, Box
should be able to configure your account to read the email address out
of an attribute instead of the NameID, since they're doing that with
my account..
Cheers,
Ian
assuming that my setup would work for you too - but on looking closely
at the actual SAML response sent to box.net by my IdP, I'm still
sending the transient format tag and it works fine. (It is a big long
random string too, not the email address. Now I'm wondering why my IdP
is ignoring the nameid = email directive in my saml20-idp-hosted.php..
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">*****</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="*****"
Recipient="https://sso.services.box.net/sp/ACS.saml2"
InResponseTo="*****"/>
</saml:SubjectConfirmation>
</saml:Subject>
Later in the response I send the following and they key off of that;
<saml:Attribute Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">*****</saml:AttributeValue>
</saml:Attribute>
As for the actual question, I look forward to hearing the definitive
answer from one of the list's resident experts; in the meantime, Box
should be able to configure your account to read the email address out
of an attribute instead of the NameID, since they're doing that with
my account..
Cheers,
Ian
> --
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/simplesamlphp/-/bTzIqoR4YLsJ.
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To view this discussion on the web visit
Peter Schober
Dec 12, 2012, 4:35:20 AM12/12/12
to simple...@googlegroups.com
* Jason Haar <jason...@gmail.com> [2012-12-11 23:12]:
saml20-sp-remote.php) why do you include saml:TransientNameID there as
well? I know the documentation also has it this way (with 3 NameIDs)
but I don't know of-hand how these are picked/selected. So looking
into this filtering process might also be a hint.
-peter
> I have tried adding the following to the metadata entry in
> saml20-sp-remote.php
>
> 'simplesaml.nameidattribute' => 'mail',
> 'authproc' => array(
> 1 => array(
> 'class' => 'saml:TransientNameID',
> ),
> 2 => array(
> 'class' => 'saml:AttributeNameID',
> 'attribute' => 'mail',
> 'Format' =>
> 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
> ),
> );
Since that is specific to this SAML SP (as you put it in
> saml20-sp-remote.php
>
> 'simplesaml.nameidattribute' => 'mail',
> 'authproc' => array(
> 1 => array(
> 'class' => 'saml:TransientNameID',
> ),
> 2 => array(
> 'class' => 'saml:AttributeNameID',
> 'attribute' => 'mail',
> 'Format' =>
> 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
> ),
> );
saml20-sp-remote.php) why do you include saml:TransientNameID there as
well? I know the documentation also has it this way (with 3 NameIDs)
but I don't know of-hand how these are picked/selected. So looking
into this filtering process might also be a hint.
-peter
Peter Schober
Dec 12, 2012, 4:37:07 AM12/12/12
to simple...@googlegroups.com
* Jason Haar <jason...@gmail.com> [2012-12-12 00:22]:
format string, cf. a very recent thread on this list, so I doubt the
SP would even recognize this NameID.
-peter
> Almost, that now declares the nameid is the email address - but it still
> sends the random string
>
> i.e. here's what FF "SAML tracer" shows is sent to box.net
>
> <saml:Subject>
> <saml:NameID SPNameQualifier="box.net"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
Note that this still sends the invalid (i.e., non-existant) NameID
> sends the random string
>
> i.e. here's what FF "SAML tracer" shows is sent to box.net
>
> <saml:Subject>
> <saml:NameID SPNameQualifier="box.net"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
format string, cf. a very recent thread on this list, so I doubt the
SP would even recognize this NameID.
-peter
Peter Schober
Dec 12, 2012, 4:38:39 AM12/12/12
to simple...@googlegroups.com
* Peter Schober <peter....@univie.ac.at> [2012-12-12 10:37]:
Which is weird, btw, as your config posted previously explicitly set
the NameID format to the correct (SAML1.1-defined) value. So what is
generated above cannot come from your previous config, I would think,
-peter
the NameID format to the correct (SAML1.1-defined) value. So what is
generated above cannot come from your previous config, I would think,
-peter
Jason Haar
Dec 12, 2012, 9:39:05 PM12/12/12
to simple...@googlegroups.com
Thanks to Ian's help, we have figured out the problem was at box.net's end. Now they have fixed that and we can login just fine
Their metadata requirements are tiny - both Ian and ourselves are using the following within saml20-sp-remote.php so that SSP as an IdP can successfully be used against box.net as a SP (whew! there's a mouthful ;-)
$metadata['box.net'] = array(
'AssertionConsumerService' => 'https://sso.services.box.net/sp/ACS.saml2',
'SingleLogoutService' => 'https://sso.services.box.net/sp/SLO.saml2',
'name' => 'Box',
);
Thanks again Ian!
Jason
Their metadata requirements are tiny - both Ian and ourselves are using the following within saml20-sp-remote.php so that SSP as an IdP can successfully be used against box.net as a SP (whew! there's a mouthful ;-)
$metadata['box.net'] = array(
'AssertionConsumerService' => 'https://sso.services.box.net/sp/ACS.saml2',
'SingleLogoutService' => 'https://sso.services.box.net/sp/SLO.saml2',
'name' => 'Box',
);
Thanks again Ian!
Jason
Reply all
Reply to author
Forward
0 new messages