By: Jason Denney user 31 May 2018 at 3:54 p.m. CDT

1 Response

Hello, I am having issue getting a Persistent NameID generated after altering the configurations. I have edited saml-nameid.xml.vm `/opt/gluu/jetty/identity/conf/shibboleth3/idp/` to uncomment `<ref bean="shibboleth.SAML2PersistentGenerator" />` I then edited `/opt/shibboleth-idp/conf/saml-nameid.properties` for the following values ` idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent idp.persistentId.sourceAttribute = inum #idp.persistentId.useUnfilteredAttributes = true idp.persistentId.algorithm = SHA idp.persistentId.salt = ****** ` restarted both `identity' and 'idp' services in that order. Then am am attempting to configure this to work from AWS Cognito User Pool. Here is the SAMLReqeust generated from cognito. `<?xml version="1.0" encoding="UTF-8"?> <saml2p:AuthnRequest AssertionConsumerServiceURL="https://****.amazoncognito.com/saml2/idpresponse" Destination="https://****/idp/profile/SAML2/Redirect/SSO" ID="_81d8fed5-8179-40a8-b491-45bc1d1fb8ce" IssueInstant="2018-05-31T14:51:02.283Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:amazon:cognito:sp:****</saml2:Issuer> </saml2p:AuthnRequest>` The Metadata that I have for my AWS Cognito pool that I added as the Trust Relationship within Gluu is as follows: ` <?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:amazon:cognito:sp:****" validUntil="2019-05-09T00:00:00Z"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>****</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat> <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://****.amazoncognito.com/saml2/idpresponse"/> <AttributeConsumingService index="1"> <ServiceName xml:lang="en">AWS Cognito User Pool Single Sign-On</ServiceName> <RequestedAttribute isRequired="true" Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName"/> <RequestedAttribute isRequired="true" Name="urn:oid:2.5.4.42" FriendlyName="givenName"/> <RequestedAttribute isRequired="true" Name="urn:oid:2.5.4.4" FriendlyName="sn"/> <RequestedAttribute isRequired="true" Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail"/> <RequestedAttribute isRequired="true" Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid"/> </AttributeConsumingService> </SPSSODescriptor> <Organization> <OrganizationName xml:lang="en">****</OrganizationName> <OrganizationDisplayName xml:lang="en">****</OrganizationDisplayName> <OrganizationURL xml:lang="en">https://****</OrganizationURL> </Organization> </EntityDescriptor> ` And the Metadata that I imported into the AWS Cognito User Pool was downloaded via https://****/idp/shibboleth Any assistance on understanding the NameID generation is appreciated. Thanks, Jason

Ubuntu 16.04

closed

By Jason Denney user 01 Jun 2018 at 1:36 p.m. CDT

Copy

Ok I did finally get this to successfully get through AWS Cognito User Pool and map the Assertion Attributes to the cognito user. Since I noticed that in the SAMLRequest generated by AWS Cognito User Pool login had `<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">` defined I did this setup. In the `SPSSODescriptor` I added the following: `<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>` and updated my Trusted Relationship with this data. I then also altered the shibboleth metadata that I downloaded via `https://<myserver>/idp/shibboleth` to also include the same NameIDFormat line and updated my SAML Provider definition in the AWS Cognito User Pool with the new metadata. I did this with the assumption that this would be describing the format that is supported by the SAML IDP. Then in one of the documents I saw that the field used was also to be added to the Released Attributes in the Trusted Relationship so I added the `inum` attribute to the released attributes. Then in the `saml-nameid.xml.vm` file I added this bean spec: ` <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" p:attributeSourceIds="#{ {'inum'} }" /> ` Restarted the `identity` and `idp` services when I then I got no errors during the login process. Out of these steps that I did to expose the nameid-format:entity was there some of the steps I did that are not necessary?

You need to Login in order to post an answer

Persistent NameID Generation

By: Jason Denney user 31 May 2018 at 3:54 p.m. CDT

Answers

By Jason Denney user 01 Jun 2018 at 1:36 p.m. CDT

Post an answer