Decrypting NameID
203 views
Skip to first unread message
andy kisaragi
Jan 15, 2018, 12:34:20 PM1/15/18
to SimpleSAMLphp
Hi all
Hoping to get a point in the right direction....
I'm setting up simpleSAMLphp as an SP, and have it working using the testshib idp service at https://www.testshib.org/
I'm having issues with the real idp though, and I'm not sure whether it's down to my configuration. The eduPersonTargetedID returned by the idp contains a nameID object, and I can't figure out how to get the actual value out of it.
The nameID object looks like this:
SAML2\XML\saml\NameID Object (
[nodeName:protected] => saml:NameID
[Format] => urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
[SPProvidedID] =>
[value] => dxSCYAcgSKRvCCv2w1RubZEOpe0=
[NameQualifier] => https://idp.xxxxxxx.uk/idp/shibboleth
[SPNameQualifier] => https://xxxxxx.com/shibboleth
[element] => DOMElement Object ( [schemaTypeInfo] => )
)
After successfully authenticating, and getting the attributes with getAttributes();, do I need to do something to decrypt the value in eduPersonTargetedID, or should this have happened automatically, indicating that I have a configuration issue? Or, have I completely misunderstood what this NameID object even is??
Is the fact that 'element' appears to be an empty DOMElement object an issue?
Thanks in advance!
Andy x
Peter Schober
Jan 15, 2018, 1:49:25 PM1/15/18
to SimpleSAMLphp
* andy kisaragi <andy...@gmail.com> [2018-01-15 18:34]:
Note that it's only guaranteed to be unique if the qualifiers are also
taken into account (both, but at least the NameQualifier), not merely
the string value.
> After successfully authenticating, and getting the attributes with
> getAttributes();, do I need to do something to decrypt the value in
> eduPersonTargetedID, or should this have happened automatically,
> indicating that I have a configuration issue? Or, have I completely
> misunderstood what this NameID object even is??
The latter, at least for the "persistent" NameID Format.
A quick look at the spec should clear this up, I think, section 8.3.7
Persistent Identifier, p.86 in this PDF:
https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf
-peter
> I'm having issues with the real idp though, and I'm not sure whether
> it's down to my configuration. The eduPersonTargetedID returned by
> the idp contains a nameID object, and I can't figure out how to get
> the actual value out of it.
What you see there is the actial value. It's not encrypted.
> it's down to my configuration. The eduPersonTargetedID returned by
> the idp contains a nameID object, and I can't figure out how to get
> the actual value out of it.
Note that it's only guaranteed to be unique if the qualifiers are also
taken into account (both, but at least the NameQualifier), not merely
the string value.
> After successfully authenticating, and getting the attributes with
> getAttributes();, do I need to do something to decrypt the value in
> eduPersonTargetedID, or should this have happened automatically,
> indicating that I have a configuration issue? Or, have I completely
> misunderstood what this NameID object even is??
A quick look at the spec should clear this up, I think, section 8.3.7
Persistent Identifier, p.86 in this PDF:
https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf
-peter
andy kisaragi
Jan 16, 2018, 6:26:51 AM1/16/18
to SimpleSAMLphp
On Monday, January 15, 2018 at 6:49:25 PM UTC, Peter Schober wrote:
The latter, at least for the "persistent" NameID Format.
A quick look at the spec should clear this up, I think, section 8.3.7
Persistent Identifier, p.86 in this PDF:
https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf
Thanks so much Peter, this is exactly what I needed but couldn't find :)
andy
Reply all
Reply to author
Forward
0 new messages