NameID not recognized by SP

By: Mike Assel user 17 Jan 2018 at 12:41 p.m. CST

5 Responses
Mike Assel gravatar
My SP is not recognizing the NameID in the gluu SAML response. The SP vendor is saying that the NameID attribute should be my actual username (mike.assel), but it is coming across as a long alpha-numeric stream in the response. I'm a total noob with SSO and SAML, so I'm fuzzy on what I need to do on the gluu side. From what I read in your docs "the default NameID for oxTrust generated SAML trust relationships is transientID". I have released that attribute in the SAML trust relationship. Am I missing anything? See here for config screenshots https://www.dropbox.com/sh/dckclukgi12b572/AAANnKCXVRroa7QU3LfN3_84a?dl=0 This is the SAML response from Gluu: ``` <saml2p:Response Destination="https://hbcomms.rev-na.demo.vbrick.com:443/sso/consume" ID="_66e10f802570854c7f5920153e12341f" InResponseTo="_C6B84E0786F84C3E8EF8CA56F26DF39F" IssueInstant="2018-01-17T17:07:57.343Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://gluu.hbcommunications.com/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion ID="_9bbd10ef99a9d7fc39399df267aa3fb9" IssueInstant="2018-01-17T17:07:57.343Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > <saml2:Issuer>https://gluu.hbcommunications.com/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://gluu.hbcommunications.com/idp/shibboleth" SPNameQualifier="https://hbcomms.rev-na.demo.vbrick.com:443" >AAdzZWNyZXQxd+t5XFZ5Y1IpX94vx6Rr6Hx1YF8MhS9gYlDVgOkN6I9z5K8nZrwoMIYJGhqysuALRF1u0KcV8AbPSBGhJWQGB1Bqb0h6RH8/KK172K7X2ySDC5J7ma6JOKvYfMMgkghWZeytWdcjuqbukBarsDd9R6o+</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="127.0.0.1" InResponseTo="_C6B84E0786F84C3E8EF8CA56F26DF39F" NotOnOrAfter="2018-01-17T17:12:57.355Z" Recipient="https://hbcomms.rev-na.demo.vbrick.com:443/sso/consume" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2018-01-17T17:07:57.343Z" NotOnOrAfter="2018-01-17T17:12:57.343Z" > <saml2:AudienceRestriction> <saml2:Audience>https://hbcomms.rev-na.demo.vbrick.com:443</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2018-01-17T17:07:57.336Z" SessionIndex="_5437fbeb4a4071df6a6217e5393ee1a9" > <saml2:SubjectLocality Address="127.0.0.1" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response> ``` Thanks, Mike
CentOS 7.2
closed

Answers

By Mohib Zico Account Admin 18 Jan 2018 at 1:58 a.m. CST

Copy
Mohib Zico gravatar
Hi Mike, If they want to release nameID which is 'based on UID'; then you have to create one like [this](https://gluu.org/docs/ce/3.1.1/admin-guide/attribute/#custom-attributes) way.

By Mike Assel user 18 Jan 2018 at 8:27 a.m. CST

Copy
Mike Assel gravatar
I read that link and I’m still a bit confused, sorry. If the TransientID is being used for nameID by default, and I have mapped transientID to samaccountname in cache refresh ldap settings, then why is transientID using UID? I’m still confused on what I need to do. Thanks for your support and patience :)

By Mohib Zico Account Admin 18 Jan 2018 at 9:01 a.m. CST

Copy
Mohib Zico gravatar
>> and I have mapped transientID to samaccountname in cache refresh ldap settings That's the mistake; don't do it. Also... feel free to read more on NameID generations of Shibboleth v3 ( nameID is confusing so it's worthy to read the doc ): - https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers - https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration

By Mike Assel user 18 Jan 2018 at 3:12 p.m. CST

Copy
Mike Assel gravatar
I removed the TransientID to samaccountname mapping in CR and I still have the issue. Should TransientID be listed as an attribute under manage users?

By Mohib Zico Account Admin 19 Jan 2018 at 7:01 a.m. CST

Copy
Mohib Zico gravatar
Hi Mike, I think NameID is still not clear to you; please read the doc first. >> I removed the TransientID to samaccountname mapping in CR and I still have the issue Issue will be there until and unless you create custom nameID which will be based on username according to SP spec.

Post an answer