By: Guilherme Capilé Account Admin 20 Aug 2019 at 4 p.m. CDT

3 Responses
Guilherme Capilé gravatar
I'd expect to receive something like this in the SAML response: ``` <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example.org/idp/shibboleth" SPNameQualifier="https://sp.example.org/plugins/servlet/samlsso" >123456789</saml2:NameID> ``` But after enabling the Custom NameIDs as documented, restarting services and waiting, they still keep displaying as: ``` <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example.org/idp/shibboleth" SPNameQualifier="https://sp.example.org/plugins/servlet/samlsso" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >AAdzZWNyZXQxJPQjfpj8GnzN7YwJEPS3iU9YMM8YwGJjF8bo...F5EgQ53lI0Ct31uks3SRmP61MzaIlIGSLP </saml2:NameID> ``` The same happens for other attributes as well, no matter it's persistent, transient or emailaddress. Also, despite having the attribute UID and set it to both the NameID and the SAML attributes, it's not showing in either. Browsing through the users I can see it clearly synchronized (came from Cache Refresh). The attribute mapping is too verbose, can't we simplify it (though configuration) from: ``` <saml2:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>Guilherme Capilé</saml2:AttributeValue> </saml2:Attribute> ``` To: ``` <saml2:Attribute Name="displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>Guilherme Capilé</saml2:AttributeValue> </saml2:Attribute> ``` Then reason is that for some services we have to configure all the attributes as "urn:oid:2.16.840.1.113730.3.1.241"... Another question: is there a way to import/export only the RDN attribute from the memberof (or similar attribute, imported from LDAP, that is, only "admin" and not "cn=admin,ou=groups,dc=example,dc=com"? Thanks in advance, Guilherme Capilé

By Guilherme Capilé Account Admin 20 Aug 2019 at 4:02 p.m. CDT

Guilherme Capilé gravatar
By the way, I've configured the Trust Relationship relying party to never encrypt/sign any attribute or NameID.

By Michael Schwartz staff 20 Aug 2019 at 8:13 p.m. CDT

Michael Schwartz gravatar
Can't help you on your first question, but on the second: ``` Another question: is there a way to import/export only the RDN attribute from the memberof (or similar attribute, imported from LDAP, that is, only "admin" and not "cn=admin,ou=groups,dc=example,dc=com"? ``` If you are syncing from AD, you can use the cache-refresh custom interception script: you can iterate through the `memberOf` attributes, split the dn group on `,` and `cn=`... that should leave you with the admin by itself.

By HARJINDER DHANJAL staff 21 Aug 2019 at 11:08 a.m. CDT

HARJINDER DHANJAL gravatar
PersistentId, and Transient will be big encrypted strings, But you can always get emailAddress, UID etc as plain text string as in actual. Is it possible for you to share shibboleth-idp/conf/saml-nameid.xml and shibboleth-idp/conf/attribute-resolver.xml So that can look at, recommend the changes Or best way would be if you can arrange a screen sharing session, We can quickly look at and resolve.