Using email address for nameid in SAML

By: Brett Cave Account Admin 13 Sep 2017 at 8:51 a.m. CDT

3 Responses
Brett Cave gravatar
Hi, I am trying to configure Gluu to use a user's email address as NameID in a SAML outbound configuration (SP-inititated). I have tried to use this as a basis for configuration: https://support.gluu.org/single-sign-on/3853/nameid-attribute-for-google-apps-g-suite-integration/ I have edited /opt/gluu/jetty/identity/conf/shibboleth3/idp/attribute-resolver.xml.vm as follows: ``` #foreach( $attribute in $attrParams.attributes ) #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('persistentId') or $attribute.name.equals('mail') ) ) #if($attribute.name.equals('eppnForNIH')) <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" name="email" friendlyName="mail" encodeType="false" /> </resolver:AttributeDefinition> #else <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" friendlyName="$attribute.name" encodeType="false" /> </resolver:AttributeDefinition> #end ``` After this, i restarted the `identity` service. I then access the SP protected resource which directs me to the Gluu server, authenticates me and redirects me back to the SP. In the SAMLResponse however, the saml2 NameID is not my email address: ``` <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.myorg/idp/shibboleth" SPNameQualifier="urn:advisorpro" >AAdzZWNyZXQxkC2d1HP/EcKEw+661Fm5ftH8zuNrdkCmYTtHjD3AC3IE8w1WFrsDTZKUnYUnQitOkcn0Cr0PkdWE0/FtVBJmjC/W000QEfqqZv1B0iv9wZHkJ2gg</saml2:NameID> ``` How can I configure Gluu to send my `mail` attribute (or is that the mail attribute being sent through encrypted?)? My SP metadata that was uploaded to Gluu includes a KeyDescriptor with x509 certificate and the following lines in the SPSSODescripter section: ``` <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://redacted/api/secure?client_name=redacted" index="0"/> ```
Ubuntu 16.04
closed

Answers

By Aliaksandr Samuseu staff 13 Sep 2017 at 12:22 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Brett. Do you need to authenticate at Google using SAML, or you just need to use `email` in nameid with some arbitrarily SP? In the latter case you should check [this article](https://gluu.org/docs/ce/3.0.2/admin-guide/attribute/#defining-nameid), while keeping in mind, that in IdP3 used in CE 3.0.x file `/opt/shibboleth-idp/conf/saml-nameid.xml` is now your main focus of concerns. I would try to edit corresponding part of it to look like this: ``` <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" p:attributeSourceIds="#{ {'mail'} }"></bean> ``` Then you need to restart idp: `# service idp restart`. Please make copies of all files you'll be editing, or create a snapshot for this vm prior to that. Also keep in mind you must release attribute you are using as source of values for your nameid in this TR (by adding `email` attribute to its "Released" list in web UI).

By Mohib Zico Account Admin 15 Sep 2017 at 12:47 a.m. CDT

Copy
Mohib Zico gravatar
Hi Brett, I would have couple of different approaches for creating nameID. Lemme know if Alex's comment helping you or not, I'll add couple of more points.

By Brett Cave Account Admin 15 Sep 2017 at 4:29 a.m. CDT

Copy
Brett Cave gravatar
Thanks - I didn't get notice of the comment, but managed toresolve it. I did enable that bean but I think i was using a SAML:1.1 format instead of 2.0 and using an emailAddress format name instead of email. In the end, I made a bunch of changes that resolved the issue. Noteably, I changed saml-nameid.properties and set the defaults for saml1 and saml2 to emailAddress / email respectively and also ensured that attribute names correlated in idp config vs the sp-metadata provided. Thanks for the assistance.

Post an answer