Trouble decoding nameid in the IDP authentication response
57 views
Skip to first unread message
Vitaliy Buyar
Sep 15, 2020, 6:05:03 PM9/15/20
to SimpleSAMLphp
Hello everyone,
I've just upgraded from very old 1.13.2 to latest 1.18.8 version of Simplesamlphp.
I copied the basic required settings from config, authsources, saml20-idp-remote, certificates over to the new installation.
And now I have an issue communicating with one of the IDPs.
The authentication goes fine, and when I try to echo out the attributes the nameid is not correct:
The authentication goes fine, and when I try to echo out the attributes the nameid is not correct:
array(1) { ["nameid"]=> array(1) { [0]=> string(27) "EMzRKqAoeQM5Zc6aQWAMFv75jLf" } }
When I simply take the original 1.13.2 folder and replace the new one, start the authentication process over, I get the correct nameid value:
array(1) { ["nameid"]=> array(1) { [0]=> string(8) "user1" } }
array(1) { ["nameid"]=> array(1) { [0]=> string(8) "user1" } }
In the newer version of the library, the nameid looks to be encrypted or something.
saml20-idp-remote.php:
saml20-idp-remote.php:
$metadata['idp1.com'] = array (
'entityid' => '
idp1.com ',
'contacts' => array (
0 => array (
'contactType' => 'administrative', 'company' => 'test', 'givenName' => 'test',
'surName' => 'test', 'emailAddress' => array ( 0 => '1...@2.com' ),
'telephoneNumber' => array ( 0 => '000' ),
),
),
'metadata-set' => 'saml20-idp-remote',
'sign.authnrequest' => true,
'SingleSignOnService' => array (
0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://...' ),
1 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'https://...' ),
),
'SingleLogoutService' => array (), 'ArtifactResolutionService' => array (),
'keys' => array (
0 => array (
'encryption' => false, 'signing' => true, 'type' => 'X509Certificate',
'X509Certificate' => 'xxx',
),
),
);
authsources.php:
'test' => array(
'saml:SP',
'entityID' => 'test',
'idp' => 'idp1.com',
'privatekey' => 'x.pem',
'privatekey_pass' => 'xxxxx',
'certificate' => 'x.cert',
'NameIDPolicy' => null,
'authproc' => array(
20 => array( 'class' => 'saml:NameIDAttribute', 'format' => '%V' ),
),
'discoURL' => null,
),
I have tried downgrading to 1.17, 1.16 but still get same issue.
To reiterate, everything works fine on the old version.
To reiterate, everything works fine on the old version.
Peter Schober
Sep 16, 2020, 5:12:25 AM9/16/20
to SimpleSAMLphp
* Vitaliy Buyar <vitali...@gmail.com> [2020-09-16 00:05]:
You'll need to look at the SAML, what's the *requested* NameIDFormat
from your SP in both cases and what's the *returned* (from the IDP)
NameIDFormat in both cases?
In the undesirable case I'd expect it to be a transient or persistent
NameID, in which case the above value is neither incorrect nor encoded
nor encrypted: It's just an ugly, oqaue string.
> When I simply take the original 1.13.2 folder and replace the new
> one, start the authentication process over, I get the correct nameid
> value:
That might just as well have a completely different reason than you
speculate: Maybe the *requested* NameIDFormat changed (e.g. due to
well-documented configuration changes wrt NameIDFormat handling in the
saml:SP authsource around 1.17 and 1.17.5) and changing you config
also changes the requested (and delivered!) NameIDFormat from the IDP,
and hence also changes the returned value.
> 20 => array( 'class' => 'saml:NameIDAttribute', 'format' => '%V' ),
Note that depending on the expected/returned NameIDFormat only using
the value (%V) of the NameID but none of the qualifiers (specifically
the NameQualifier, i.e., the Issuer of that NameID value) may not be
sufficient: Values are only certain to be gobally unique when using
the qualifiers for some formats.
Here's a more complex example of pulling out two different kinds of
NameID values (persistent NameIDs and emailAddress ones) and handling
them with and without the respective qualifiers.
(Removing the "cleanup" filters in 21,22,31,22 would make this quite a
bit shorter.)
'authproc' => array(
01 => array(
'class' => 'core:AttributeMap', 'oid2name',
'class' => 'core:AttributeMap', 'urn2name',
),
// pull NameID value and format with all qualifiers
10 => array(
'attribute' => 'nameid_qualified',
),
// pull NameID value and format without any qualifiers
11 => array(
'attribute' => 'nameid_naked',
),
// copy value for NameIDs of type persistent to attribute "persistent-id"
20 => array(
'class' => 'core:AttributeAlter',
'subject' => 'nameid_qualified',
'pattern' => '/^urn:oasis:names:tc:SAML:2\.0:nameid-format:persistent\|/',
'target' => 'persistent-id',
'replacement' => '',
),
21 => array( // cleanup tmp attribute nameid_qualified
'class' => 'core:AttributeAlter',
'subject' => 'nameid_qualified',
'pattern' => '/^.*/',
'%remove',
),
22 => array( // cleanup empty persistent-id
'class' => 'core:AttributeAlter',
'subject' => 'persistent-id',
'pattern' => '//',
'%remove',
),
// copy value for NameIDs of type emailAddress to attribute "email-id"
30 => array(
'class' => 'core:AttributeAlter',
'subject' => 'nameid_naked',
'pattern' => '/^urn:oasis:names:tc:SAML:1\.1:nameid-format:emailAddress\|/',
'target' => 'email-id',
'replacement' => '',
),
31 => array( // cleanup tmp attribute nameid_naked
'class' => 'core:AttributeAlter',
'subject' => 'nameid_naked',
'pattern' => '/^.*/',
'%remove',
),
32 => array( // cleanup empty email-id
'class' => 'core:AttributeAlter',
'subject' => 'email-id',
'pattern' => '//',
'%remove',
),
),
Cheers,
-peter
> The authentication goes fine, and when I try to echo out the attributes the
> nameid is not correct:
> array(1) { ["nameid"]=> array(1) { [0]=> string(27) "
> *EMzRKqAoeQM5Zc6aQWAMFv75jLf*" } }
> nameid is not correct:
> array(1) { ["nameid"]=> array(1) { [0]=> string(27) "
You'll need to look at the SAML, what's the *requested* NameIDFormat
from your SP in both cases and what's the *returned* (from the IDP)
NameIDFormat in both cases?
In the undesirable case I'd expect it to be a transient or persistent
NameID, in which case the above value is neither incorrect nor encoded
nor encrypted: It's just an ugly, oqaue string.
> When I simply take the original 1.13.2 folder and replace the new
> one, start the authentication process over, I get the correct nameid
> value:
speculate: Maybe the *requested* NameIDFormat changed (e.g. due to
well-documented configuration changes wrt NameIDFormat handling in the
saml:SP authsource around 1.17 and 1.17.5) and changing you config
also changes the requested (and delivered!) NameIDFormat from the IDP,
and hence also changes the returned value.
> 20 => array( 'class' => 'saml:NameIDAttribute', 'format' => '%V' ),
the value (%V) of the NameID but none of the qualifiers (specifically
the NameQualifier, i.e., the Issuer of that NameID value) may not be
sufficient: Values are only certain to be gobally unique when using
the qualifiers for some formats.
Here's a more complex example of pulling out two different kinds of
NameID values (persistent NameIDs and emailAddress ones) and handling
them with and without the respective qualifiers.
(Removing the "cleanup" filters in 21,22,31,22 would make this quite a
bit shorter.)
'authproc' => array(
01 => array(
'class' => 'core:AttributeMap', 'oid2name',
'class' => 'core:AttributeMap', 'urn2name',
),
// pull NameID value and format with all qualifiers
10 => array(
'class' => 'saml:NameIDAttribute',
'format' => '%F|%I!%S!%V',
'attribute' => 'nameid_qualified',
),
// pull NameID value and format without any qualifiers
11 => array(
'class' => 'saml:NameIDAttribute',
'format' => '%F|%V',
'attribute' => 'nameid_naked',
),
// copy value for NameIDs of type persistent to attribute "persistent-id"
20 => array(
'class' => 'core:AttributeAlter',
'subject' => 'nameid_qualified',
'pattern' => '/^urn:oasis:names:tc:SAML:2\.0:nameid-format:persistent\|/',
'target' => 'persistent-id',
'replacement' => '',
),
21 => array( // cleanup tmp attribute nameid_qualified
'class' => 'core:AttributeAlter',
'subject' => 'nameid_qualified',
'pattern' => '/^.*/',
'%remove',
),
22 => array( // cleanup empty persistent-id
'class' => 'core:AttributeAlter',
'subject' => 'persistent-id',
'pattern' => '//',
'%remove',
),
// copy value for NameIDs of type emailAddress to attribute "email-id"
30 => array(
'class' => 'core:AttributeAlter',
'subject' => 'nameid_naked',
'pattern' => '/^urn:oasis:names:tc:SAML:1\.1:nameid-format:emailAddress\|/',
'target' => 'email-id',
'replacement' => '',
),
31 => array( // cleanup tmp attribute nameid_naked
'class' => 'core:AttributeAlter',
'subject' => 'nameid_naked',
'pattern' => '/^.*/',
'%remove',
),
32 => array( // cleanup empty email-id
'class' => 'core:AttributeAlter',
'subject' => 'email-id',
'pattern' => '//',
'%remove',
),
),
Cheers,
-peter
Vitaliy Buyar
Sep 16, 2020, 8:38:59 AM9/16/20
to SimpleSAMLphp
Thanks for the response.
In the old version of simplesamlphp sending "'NameIDPolicy' => null," meant not sending a nameidpolicy, while in newer versions it would send transient.
This was indeed caused by requesting the wrong
NameIDFormat.
In the old version of simplesamlphp sending "'NameIDPolicy' => null," meant not sending a nameidpolicy, while in newer versions it would send transient.
I changed it to send 'NameIDPolicy' => false, and now IDP returns the actual username and not the random character transient ID.
Again, thank you for the fast response!
Peter Schober
Sep 16, 2020, 12:01:07 PM9/16/20
to SimpleSAMLphp
* Vitaliy Buyar <vitali...@gmail.com> [2020-09-16 14:39]:
When updating you should make it a habit to alwayw read the release
notes of any the versions you're covering (or skipping) with the
update.
> In the old version of simplesamlphp sending "'NameIDPolicy' => null,"
Yeah, that was an undocumented hack someone found out, IIRC.
Still it was popular since it was the only functioning way to not
request a specific format, which in some deployments is the only way
to be interoperable with a variety of IDPs.
That's now behind us, fortunately. ;)
-peter
> This was indeed caused by requesting the wrong NameIDFormat.
OK, great.
When updating you should make it a habit to alwayw read the release
notes of any the versions you're covering (or skipping) with the
update.
> In the old version of simplesamlphp sending "'NameIDPolicy' => null,"
Still it was popular since it was the only functioning way to not
request a specific format, which in some deployments is the only way
to be interoperable with a variety of IDPs.
That's now behind us, fortunately. ;)
-peter
Reply all
Reply to author
Forward
0 new messages