By: Sergio Cambra user 08 Apr 2019 at 6:08 a.m. CDT

1 Response
Sergio Cambra gravatar
I'm trying to add SP for meraki dashboard: https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard I have added Trust Relationship, with metadata XML I created, because meraki doesn't provide metadata, url in location is provided by meraki, it's masked here: ``` <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://meraki.cisco.com"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://n168.meraki.com/saml/login/r4gbub/lfIv9aJ9CxYd" index="0" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor> ``` I have added email and username to released attributes. Then I go to my Idp, to start Idp-initiated login: https://idp1.luhina.com/idp/profile/SAML2/Unsolicited/SSO?providerId=https://meraki.cisco.com&target=https://n168.meraki.com Checking the logs, I can see there is no attributes in the response: ``` 2019-04-08 11:04:55,834 - INFO [org.gluu.idp.externalauth.AuthenticatedNameTranslator:59] - Created an IdP subject instance with principals containing attributes for scambra@servpac.com 2019-04-08 11:04:56,075 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:138] - Profile Action ValidateExternalAuthentication: External authentication succeeded for Subject: [IdPAttributePrincipal{attribute=IdPAttribute{id=email, displayNames={}, displayDescriptions={}, encoders=[], values=[StringAttributeValue{value=scambra@servpac.com}]}}, UsernamePrincipal{username=scambra@servpac.com}, IdPAttributePrincipal{attribute=IdPAttribute{id=username, displayNames={}, displayDescriptions={}, encoders=[], values=[StringAttributeValue{value=scambra@servpac.com}]}}] 2019-04-08 11:04:56,697 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:227] - Attribute sources [mail] did not produce a usable identifier 2019-04-08 11:04:56,827 - INFO [net.shibboleth.idp.saml.session.impl.SAML2SPSessionCreationStrategy:125] - Creating BasicSPSession in the absence of necessary information 2019-04-08 11:04:57,058 - INFO [Shibboleth-Audit.SSO:275] - 20190408T110457Z|urn:mace:shibboleth:2.0:profiles:AuthnRequest|_337ec50d-84ee-43a4-acbb-070a9338cfb1|https://meraki.cisco.com|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp1.luhina.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_e4dd51cbbf7033e27d7255f1cd130f8c|scambra@servpac.com|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|||_9d2050fbf3cbe407734e20aea4351527| ``` And meraki complains about missing attributes: Assertion contains no username and no role ``` <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://n168.meraki.com/saml/login/r4gbub/lfIv9aJ9CxYd" ID="_e4dd51cbbf7033e27d7255f1cd130f8c" IssueInstant="2019-04-08T11:04:56.607Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp1.luhina.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_e4dd51cbbf7033e27d7255f1cd130f8c"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>pU9QrDKXkJquOS7mcS1sey4g9BKevzXm0eARzcTsF4I=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> FKP7wReNFVLPAlXvnZid6pa1hmggdFyyV PwzDSgSnVrGl6YGA eVIobzyuF3t6240GQFyyguCao bWA7yEHbLXrCEO7Hhd/N3CJw5Hx334MVHX7AqZEoCyqbNc8q2YralqU4owJRhVae0xeV8FvzKtIB cHZ9xG/eMlFAtGFhY3MTZUBzzi/SSj9oeFNFCKJJ76G4CBchEe9LNhUFpYglJIp6wEuLMuJZwcpK HKNGv1LMohPfYWZ/WuwwijsxMQJrYoLR/VweflxYpQpuOgFEt9iWOLq2VsexXrOE3l DU13qcRg4 Hkas0d/l5PY3lADaig5zN3hra2FqYldcaMrwgg== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDbjCCAlYCCQDZ6/x39Wx8XzANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzELMAkGA1UE CAwCSEkxETAPBgNVBAcMCEhvbm9sdWx1MRAwDgYDVQQKDAdTZXJ2cGFjMRgwFgYDVQQDDA9pZHAx Lmx1aGluYS5jb20xHjAcBgkqhkiG9w0BCQEWD2VuZ0BzZXJ2cGFjLmNvbTAeFw0xOTAxMjUwNzI3 MDRaFw0yMDAxMjUwNzI3MDRaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJISTERMA8GA1UEBwwI SG9ub2x1bHUxEDAOBgNVBAoMB1NlcnZwYWMxGDAWBgNVBAMMD2lkcDEubHVoaW5hLmNvbTEeMBwG CSqGSIb3DQEJARYPZW5nQHNlcnZwYWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA4rKnGgOSoj4VT/fs01xuTTozbpxpWtA8KHE gaHkbCtE83VBqNYol1v5qCZtIGwLv/A5sRRU hXWhB0gzBl q7nOo i226MJapQxXqsHQpuJM0Bgp7AYFuTFODnnV3 V/IE0FSwrAfiCj5adSjncm IUFT2/MRG7rhp9UxKPkE/KR6RN6ByNMG c0bTikiOzoAHL38Y9dyHK71M6K3DPeZ5ziFJWuq5k7/ sLtbInn ruHxiPvGh7HniszhFS4wcVmMFBTwVfV3249QaF0lMvRwom69 FpAOuDk3PlDbgjCBS7I HhZqW21s2 OQQx8bRPW9dbK3DUbKTxBGget1APn6/wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBH d/FnQUVCcQFfUv74rFtPTY4KwgE8FVl 18SN6H3M0Es0n0a4gRV282FshZTYHhIAlcqVLsP/LvT/ gQWcVzyaL3uRpzpU8KmSSWJ9I0NwrkjPv8POg9T/q6C /TGBstt8gg/EbX QEABClCcivSzf/oX/ Zfex2/MTfysNruV3hAlLVyo2eUTACycUZ5nLyODUyiRgfiKQJFQNlmJcFvIhwqutcMAQvl6oC5m4 yDs7QLctZfEfx2dIWo5pusPFAguEvzWkmXgVgiSELJC9I8l/RHSUiCPy8kISqxCDas5jqnH7IxEy 9iTrZfE2x OKjp8E42zxhUjvfLxlXuYSGvj3 </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9d2050fbf3cbe407734e20aea4351527" IssueInstant="2019-04-08T11:04:56.607Z" Version="2.0"> <saml2:Issuer>https://idp1.luhina.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_9d2050fbf3cbe407734e20aea4351527"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>IIAznvVQLdUqDp/F2xFTRjHcZ1evSHkc5Yl1S27ELPo=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> OZlibkitRDspY5IGfTnFGKTKjMufxUMVkSMs/ZMqpNW1glDeXroeBjHEgFBT69AuyhCidQRqcnQL U4j/E4Rb1HgHN6WStWymImEqcfZIDqJBGAW4cKkyV89DUPmfo3hY/WG8zved0Rf4FqDkKggtRG7J NV2dCpGALIZCukTs8UmvbhyHImG0hFPuS3JM137338 IZE5O/h4fwiorS30WR9SthCty0PrVoBQC DjZw2I/v9V1fkCyZxzE6fxwYlA6Z6vGViTvFYQ/oh5NTKzIHTM3XoJ0uPz2mmTmYRhAbnqItUtsz qFUVeV1s1BknaiES07C2e6CBpZp5socEodYNxw== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDbjCCAlYCCQDZ6/x39Wx8XzANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzELMAkGA1UE CAwCSEkxETAPBgNVBAcMCEhvbm9sdWx1MRAwDgYDVQQKDAdTZXJ2cGFjMRgwFgYDVQQDDA9pZHAx Lmx1aGluYS5jb20xHjAcBgkqhkiG9w0BCQEWD2VuZ0BzZXJ2cGFjLmNvbTAeFw0xOTAxMjUwNzI3 MDRaFw0yMDAxMjUwNzI3MDRaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJISTERMA8GA1UEBwwI SG9ub2x1bHUxEDAOBgNVBAoMB1NlcnZwYWMxGDAWBgNVBAMMD2lkcDEubHVoaW5hLmNvbTEeMBwG CSqGSIb3DQEJARYPZW5nQHNlcnZwYWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA4rKnGgOSoj4VT/fs01xuTTozbpxpWtA8KHE gaHkbCtE83VBqNYol1v5qCZtIGwLv/A5sRRU hXWhB0gzBl q7nOo i226MJapQxXqsHQpuJM0Bgp7AYFuTFODnnV3 V/IE0FSwrAfiCj5adSjncm IUFT2/MRG7rhp9UxKPkE/KR6RN6ByNMG c0bTikiOzoAHL38Y9dyHK71M6K3DPeZ5ziFJWuq5k7/ sLtbInn ruHxiPvGh7HniszhFS4wcVmMFBTwVfV3249QaF0lMvRwom69 FpAOuDk3PlDbgjCBS7I HhZqW21s2 OQQx8bRPW9dbK3DUbKTxBGget1APn6/wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBH d/FnQUVCcQFfUv74rFtPTY4KwgE8FVl 18SN6H3M0Es0n0a4gRV282FshZTYHhIAlcqVLsP/LvT/ gQWcVzyaL3uRpzpU8KmSSWJ9I0NwrkjPv8POg9T/q6C /TGBstt8gg/EbX QEABClCcivSzf/oX/ Zfex2/MTfysNruV3hAlLVyo2eUTACycUZ5nLyODUyiRgfiKQJFQNlmJcFvIhwqutcMAQvl6oC5m4 yDs7QLctZfEfx2dIWo5pusPFAguEvzWkmXgVgiSELJC9I8l/RHSUiCPy8kISqxCDas5jqnH7IxEy 9iTrZfE2x OKjp8E42zxhUjvfLxlXuYSGvj3 </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="207.2.109.34" NotOnOrAfter="2019-04-08T11:09:56.710Z" Recipient="https://n168.meraki.com/saml/login/r4gbub/lfIv9aJ9CxYd"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2019-04-08T11:04:56.607Z" NotOnOrAfter="2019-04-08T11:09:56.607Z"> <saml2:AudienceRestriction> <saml2:Audience>https://meraki.cisco.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2019-04-08T11:04:56.080Z" SessionIndex="_1131e5b617ebf836697a5ed14c0a9d73"> <saml2:SubjectLocality Address="207.2.109.34"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response> ```

By Sergio Cambra user 08 Apr 2019 at 6:27 a.m. CDT

Sergio Cambra gravatar
I got fixed changing NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. Then response included attribute and nameId