By: John Williams user 19 Jun 2019 at 11:14 a.m. CDT

6 Responses
John Williams gravatar
Hi, When our app tries to process the inbound (Gluu idp-init) SAML assertion it is not reading the NameID. In the Gluu UI “Configure-Custom NameId” option, I have Source-Attribute=”Email” and NameId-Type=”emailAddress” On the SP side it authenticates ok with spring saml but the NameId within SAML credentials (org.springframework.security.saml.SAMLCredential()) seems to be in a base64 like format. Other creds like local/remote EntityID are in cleartext. I would expect email-address in clear-text here allowing us to do our own local auth for app. (It’s clear-text for another test IDP provider) I think it might be some bad/missing configuration on the Gluu server. Appreciate any suggestions you might have.

By Mohib Zico staff 26 Jun 2019 at 10:02 a.m. CDT

Mohib Zico gravatar
Hello John, If NameID is properly configured, you will not see it's value clear text in SAML assertion of Gluu Server, basically that's how Shibboleth works. On other hand... you will see something like "NameID configured .. etc. etc " in SAML assertion OR "NameID can't be configured ....". SAML assertion means... DEBUG log from 'idp-process.log' ( /opt/shibboleth/logs/ )

By John Williams user 05 Jul 2019 at 12:42 p.m. CDT

John Williams gravatar
Hi Mohib, Thanks for your reply. In the idp-process.log we are seeing: WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format Under <gluuServer>/identity/saml/nameid We have configured the Custom NameId to be: Source Attribute: Email NameId Type: emailAddress Our expectation is that this would have been reflected in the IDP metadata <gluuServer>/idp/shibboleth, but it isn't. IDP metadata has: <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> We would have expected to see something like this included too: <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress </NameIDFormat>

By Mohib Zico staff 05 Jul 2019 at 12:53 p.m. CDT

Mohib Zico gravatar
>> Ignoring NameIDFormat metadata that includes the 'unspecified' format There are two meaning of this message: - Some configuration still talking about 'unspecified' type. Either SP metadata or SP itself or inside your Gluu Server. - There is no other properly configured nameID available. i.e. emailAddress isn't configured properly.

By John Williams user 10 Jul 2019 at 12:16 p.m. CDT

John Williams gravatar
Hi Mohib, I've removed reference to "unspecified" in the sp_metadata. That's fine. Using the firefox saml-tracer extension, the saml assertion decoded gives me: <saml2:Issuer>https://ubuntuGluuVM/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://ubuntuGluuVM/idp/shibboleth" SPNameQualifier="sp_app_test" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >AAdzZWNyZXQxrzma+EkBD77Ys2xvWkzdXrFlSV37QDiV4CkbXQWFLV+euUV0yyKTnJxbmauzbRjtmOwzDHgzFIKRGMB5vcMVqzT3y16wUivuPLxDyZ/OKAZfjPG98g==</saml2:NameID> This is in contrast to another saml-idp-server which gives the email address in cleartext at this point. The saml custom nameId would seem to be configured correctly in attribute-resolver.xml: <resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" /> </resolver:AttributeDefinition> I notice there is no reference to "nameid-format:emailAddress" in the /idp/shibboleth metadata which I would have expected.

By John Williams user 11 Jul 2019 at 11:49 a.m. CDT

John Williams gravatar
This previous post describes the problem I'm having: https://support.gluu.org/single-sign-on/4489/using-email-address-for-nameid-in-saml/ I'm still falling short of finding a solution though.

By Mohib Zico staff 11 Jul 2019 at 12:15 p.m. CDT

Mohib Zico gravatar
Please share your all configs, I will take a look as soon as I can manage some time: - `/opt/shibboleth/conf` - `/opt/gluu/jetty/identity/conf/shibboleth/idp` - SP metadata - Trust relationship screenshots