By: ved singh user 08 Jun 2017 at 7:45 p.m. CDT

3 Responses
ved singh gravatar
Hi, In my application I need the Gluu server to pass a custom attribute to SP in order to identify a user. I followed below steps: 1) Created the custom attribute(imcemailid) as per doc: [https://gluu.org/docs/ce/3.0.1/admin-guide/attribute/](https://gluu.org/docs/ce/3.0.1/admin-guide/attribute/) 2)Added attribute to TR which is valid and active. 3)Updated the NameId template file as mentioned in above doc. Below is snippet of file updated: /opt/gluu/jetty/identity/conf/shibboleth3/idp/attribute-resolver.xml.vm ``` #foreach( $attribute in $attrParams.attributes ) #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('persistentId') or $attribute.name.equals('imcemailid') ) ) #if($attribute.name.equals('eppnForNIH')) <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> </resolver:AttributeDefinition> #else <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" friendlyName="$attribute.name" encodeType="false" /> </resolver:AttributeDefinition> #end #end #end <resolver:AttributeDefinition id="imcemailid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="email"> <resolver:Dependency ref="siteLDAP"/> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:email" /> </resolver:AttributeDefinition> ``` /opt/shibboleth-idp/conf/saml-nameid.xml ``` <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- <ref bean="shibboleth.SAML2PersistentGenerator" /> --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" p:attributeSourceIds="#{ {'imcemailid'} }"/> </util:list> ``` 4) Updated SAML AuthnRequest message to add NameIDPolicy. ``` <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://testsp.com:9000/site/saml/SSO" Destination="https://testgluu.com/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="a58h62490i4929dd371d169a0a8ci07" IsPassive="false" IssueInstant="2017-06-08T23:03:18.486Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">com:lab:hippo:sp</saml2:Issuer> <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" /> </saml2p:AuthnRequest> ``` Upon sending a auth request, I'm encountering "InvalidNameIDPolicy" error. Perhaps I'm missing something. Exception snippet : ``` 2017-06-09 00:15:24,407 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:151] - validate check session status:200 2017-06-09 00:15:24,407 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:157] - Session validation successful. User is logged in 2017-06-09 00:15:24,475 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:115] - Profile Action ValidateExternalAuthentication: External authentication succeeded for user: vedgs 2017-06-09 00:15:24,530 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:227] - Attribute sources [imcemailid] did not produce a usable identifier 2017-06-09 00:15:24,531 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:email 2017-06-09 00:15:24,532 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidNameIDPolicy 2017-06-09 00:15:24,545 - INFO [Shibboleth-Audit.SSO:241] - 20170609T001524Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|a17277ee2jhih91b54a129d1hgi8fc8|com:imc:hippo:sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://imcgluu.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_c1931cdd3c6565198d5d56d24f07faff|vedgs||||| ``` How would I change attribute definition in attribute-resolver.xml to have the right information back from Gluu. Thanks Ved

By Michael Schwartz Account Admin 08 Jun 2017 at 9:39 p.m. CDT

Michael Schwartz gravatar
Ved, are you passing this custom attribute as the NameID?

By Mohib Zico Account Admin 09 Jun 2017 at 4:38 a.m. CDT

Mohib Zico gravatar
Hi Ved, #3. >> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:email" /> </resolver:AttributeDefinition> Try nameFormat 'emailAddress' like this: `nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres` - 'saml-nameid.xml': same; try 'emailAddress' in nameFormat - >> 4) Updated SAML AuthnRequest message to add NameIDPolicy. I am exactly not sure what you wanted to mean by that. - Also.. what Mike mentioned: >> are you passing this custom attribute as the NameID? You need to create custom attribute first, then configure that as NameID and after everything... release this attribute in Trust Relationship.

By ved singh user 13 Jun 2017 at 1 p.m. CDT

ved singh gravatar
Hi Michael and Mohib, Thanks so much for guidance. I was able to get it working. Issue was with mismatch of nameid format in saml-nameid.xml and attribute-resolver.xml.vm and in auth request. Thanks again for the help. Ved