By: Pradeep Vara user 15 Oct 2018 at 4:02 a.m. CDT

8 Responses
Pradeep Vara gravatar
Our application acts as as an SP and we are using GLUU as its IDP Here "email" is used as the subject during the authn request to validate the user. How should we define the nameID format as email address in 3.1.4 with SAML 1.1 as below Gluu nameID format - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Email Address urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress Expected configuration in attribute-resolver.xml: <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> Current configuration in GLUU: <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" /> Even if we change the shibboleth configurations manually pointing to SAML 1.1, after IDP restart, the configurations are changing back to SAML2.0

By Mohib Zico Account Admin 15 Oct 2018 at 4:16 a.m. CDT

Mohib Zico gravatar
Yes, there is little discrepancy there for nameID in 3.1.4. We have figured it out and a workaround is in QA at this moment. After QA, we will finalize new doc on NameID this week. Stay tuned!

By Pradeep Vara user 15 Oct 2018 at 4:44 a.m. CDT

Pradeep Vara gravatar
Thank you for the response, please provide us the doc once the QA is done

By Jakub Synowiec user 16 Oct 2018 at 8:36 p.m. CDT

Jakub Synowiec gravatar
Hi Mohib, I was trying to configure the NameID with Gluu 3.1.4, but it seems like my SAML 2.0 doesn't pick it up at all (NameID is not in the SAMLResponse). Does the discrepancies related to NameID in this version relate to this issue as well? I looked at the attribute-resolver.xml.vm and saml-nameid.xml as advised here: https://gluu.org/docs/ce/admin-guide/saml/#configure-nameid And it seems to be configured fine (I configured through UI, and checked the files so that the changes from the Gluu UI are there). Let me know, Thanks! - Jakub

By Mohib Zico Account Admin 17 Oct 2018 at 1:52 a.m. CDT

Mohib Zico gravatar
Hello Jakub, If you configure it properly, it shouldn't have any issue. Primary configuration files are: attribute-resolver.xml and saml-nameid.xml for nameID related things.

By Jakub Synowiec user 17 Oct 2018 at 10:09 a.m. CDT

Jakub Synowiec gravatar
Mohib, thank you for the quick reply! This is my attribute-resolver.xml: ``` <?xml version="1.0" encoding="UTF-8"?> <resolver:AttributeResolver xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd"> <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="iname" sourceAttributeID="iname"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.48710.1.3.116" friendlyName="iname" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="sn" sourceAttributeID="sn"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="nickname" sourceAttributeID="nickname"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.48710.1.3.319" friendlyName="nickname" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="o" sourceAttributeID="o"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="inum" sourceAttributeID="inum"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.48710.1.3.117" friendlyName="inum" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="gluuIMAPData" sourceAttributeID="gluuIMAPData"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.48710.1.3.355" friendlyName="gluuIMAPData" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="gluuStatus" sourceAttributeID="gluuStatus"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.48710.1.3.97" friendlyName="gluuStatus" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="emailVerified" sourceAttributeID="emailVerified"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.48710.1.3.324" friendlyName="emailVerified" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="preferredUsername" sourceAttributeID="preferredUsername"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.48710.1.3.320" friendlyName="preferredUsername" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="CompanyID" sourceAttributeID="CompanyID"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:CompanyID" friendlyName="CompanyID" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="persistentId" sourceAttributeID="persistentId"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="transientId" sourceAttributeID="transientId"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <resolver:DataConnector id="siteLDAP" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"> <dc:FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </dc:FilterTemplate> <!-- <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes> --> <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> </resolver:DataConnector> </resolver:AttributeResolver> ``` I can see there I have attributes of type "SAML2StringNameID", so they should be included! Here's the saml-nameid.xml: ``` <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <!-- ========================= SAML NameID Generation ========================= --> <!-- These generator lists handle NameID/Nameidentifier generation going forward. By default, transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs and generating more one-off formats based on resolved attributes. The suggested approach is to control their use via release of the underlying source attribute in the filter policy rather than here, but you can set a property on any generator called "activationCondition" to limit use in the most generic way. Most of the relevant configuration settings are controlled using properties; an exception is the generation of arbitrary/custom formats based on attribute information, examples of which are shown below. --> <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" p:attributeSourceIds="#{ {'persistentId'} }"/> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" p:attributeSourceIds="#{ {'transientId'} }"/> <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- <ref bean="shibboleth.SAML2PersistentGenerator" /> --> <!-- <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> --> </util:list> </beans> ``` And again, there are beans with the SAML2AttributeSourcedGenerator for the two NameID's I want to generate. Both of the files look correct to me, at least along the lines of the gluu docs link I posted previously. Still, the SAMLResponse is lacking the NameID part: ```<saml2:Subject> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="209.239.187.74" NotOnOrAfter="2018-10-17T14:54:55.774Z" Recipient="https://[removed]"/> </saml2:SubjectConfirmation> </saml2:Subject>``` Agan, I really do appreciate the help and quick response. Thanks!

By Mohib Zico Account Admin 18 Oct 2018 at 3:21 a.m. CDT

Mohib Zico gravatar
Doc updated: [https://gluu.org/docs/ce/admin-guide/saml/#manual-configuration](https://gluu.org/docs/ce/admin-guide/saml/#manual-configuration)

By Pradeep Vara user 22 Oct 2018 at 1:46 a.m. CDT

Pradeep Vara gravatar
Hi Mohib, - So can we use NameIDFormat with SAML 1.1 . - Should we need to download the latest version of GLUU

By Mohib Zico Account Admin 22 Oct 2018 at 3:05 a.m. CDT

Mohib Zico gravatar
Yes, you can use 1.1. If you want to use 3.1.4; it's little bit different ( that's why we upgraded doc ). Less than 3.1.4 configuration is same like what documentation saying. Thanks!