As by default OneLogin passes Email as NameID in SAML assertion.
But i want to pass EmployeeID as NameID in SAML assertion. So that i would be able to identify user on the basis of EmployeeID.
Is there any way to do so or OneLogin provides?
In the application configuration go to parameters and edit the value for SAMLNameId
Related
When initiating a SAML authentication request (from the Service Provider), is there any way to give the Identity Provider the username/email address to set as a default on login screen? I'd like that username to be added in the IdP's username box.
Using SAML 2.0 with OneLogin
I understand this can be done with the information within the AuthnRequest, but I cannot see any way of being able to modify that data.
is there any way to give the Identity Provider the username/email address to set as a default on login screen?
As far as I know, there is no standard way to indicate required attributes as part of a SAML authentication request sent by the SP. If you know this capability exists in the SAML specification, please share a link.
And even so, if hypothetically there was a way to ask for attributes in the authentication requests, that would only suggest to the IdP to consider sending and releasing those attributes back to the app; not that the attribute should be used in the login process/forms. That feature, is entirely implementation specific and depends on your choice of the SAML2 identity provider.
I've set up Shibboleth IDPv3 to test my SP implementation. SP sends a SAML Logon request and the user is presented with the Shibboleth IDP credentials page in which the user enters their Kerberos credentials (I've configured the Loginflow with KerberosAuthNConfiguration). The SAML response comes back with a nameId which has what looks like an encoded value. However, what I want is the NameId element to contain the username that the user used to login to the IDP credentials page.
I had a few attempts by trying to configure the beans in the various XML configuration files without any luck. Has anybody tried something similar is this even possible to achieve ?
If you look in the file saml-nameid.properties you will see the parameter idp.nameid.saml2.default. I suspect that your configuration is set to the default of urn:oasis:names:tc:SAML:2.0:nameid-format:transient which is not an encoded value, but rather a random string.
It sounds like you want to send a "persistent" identifier rather than a transient identifier. To do this,
Change idp.nameid.saml2.default to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
Next, you will need to enable the Persistent NameID Generator in the file saml-nameid.xml.
Finally you need to set the attribute to use in your nameid via the idp.persistentId.sourceAttribute property, also in saml-nameid.properties.
Details on how to do this can be found at the Shibboleth IdP PersistentNameIDGenerationConfiguration page.
I'm knew to SAML and i'm trying to understand how a clients details are stored for SSO.
If select a link in a browser to a service provider and I haven't been set up on the IDp after I have my account created at the IDp and authenticated to the SP what is stored? is it my ipddress? if I tried to connect to the same SP from a different machine would I need to be registered on the IDp again.
Or is it done another way?
Thank You
An IdP creates a SAML assertion about an authenticated subject.
Based upon the NameID format being used an opaque handle could be transmitted ("transient NameID format") or an email address ("email NameID format") or even some other id can be transmitted from the IdP to the SP. Furhtermore attribute statements could be used to transmit additional information about the subject.
Authentication happens on the IdP, however it's not defined in the SAMLv2 spec how this has to take place.
If authentication happened a "session" is established at the IdP. Most IdP implemenatations use a cookie to track the "session". So when you return to the IdP again there is no need for re-authentication unless an SP mandates this. ("ForceAuth" in the SAML AuthnRequest).
This is only a quick overview, reading the SAMLv2 tech overview (https://wiki.oasis-open.org/security/Saml2TechOverview) certainly gives you more insights.
I'm trying to configure Google Apps as SAML IdP with Zoho as service provider.
After authentication, the SAML response xml from Google always contains NameID Format as unspecified.
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">email#company.com</saml2:NameID>
Google Apps does have the option to change the NameID Format. Refer this screenshot :
Service Provider details
But even if EMail is selected as NameID Format, the above response is present in SAML Response xml.
The expected NameID Format in response is as follows :
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">email#company.com</saml2:NameID>
Is there a way to achieve this ?
Check if Zoho-SP sends <AuthnRequest /> with Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" to Google-IdP. If yes, send <AuthnRequest /> with Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" from Zoho-SP side and try.
Setting NameID format in IdP is for default configuration. That setting won't be taken, if AuthnRequest specify which NameID format to used to identify the user between IdP and SP, upon authentication.
When initiating a SAML authentication request (from the Service Provider), is there any way to give the Identity Provider a hint as to which username to use? In my application I know which user it wants to authenticate (based on a unique link the user clicked in an e-mail), and I'd like that username to be prefilled in the IdP's username box.
Using SAML 2.0 with Active Directory Federation Services (AD FS) 2.1.
Yes, you can use the optional <saml:Subject> field in the AuthnRequest message sent from the SP to the Idp to request a specific subject from the Idp. See section 3.4.1 in the SAML2 spec.
I have no idea if ADFS respects that field though.