I've set up Shibboleth IDPv3 to test my SP implementation. SP sends a SAML Logon request and the user is presented with the Shibboleth IDP credentials page in which the user enters their Kerberos credentials (I've configured the Loginflow with KerberosAuthNConfiguration). The SAML response comes back with a nameId which has what looks like an encoded value. However, what I want is the NameId element to contain the username that the user used to login to the IDP credentials page.
I had a few attempts by trying to configure the beans in the various XML configuration files without any luck. Has anybody tried something similar is this even possible to achieve ?
If you look in the file saml-nameid.properties you will see the parameter idp.nameid.saml2.default. I suspect that your configuration is set to the default of urn:oasis:names:tc:SAML:2.0:nameid-format:transient which is not an encoded value, but rather a random string.
It sounds like you want to send a "persistent" identifier rather than a transient identifier. To do this,
Change idp.nameid.saml2.default to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
Next, you will need to enable the Persistent NameID Generator in the file saml-nameid.xml.
Finally you need to set the attribute to use in your nameid via the idp.persistentId.sourceAttribute property, also in saml-nameid.properties.
Details on how to do this can be found at the Shibboleth IdP PersistentNameIDGenerationConfiguration page.
Related
I need to get metadata xml for my SSO IdP initiated. How can I get or create it?
I am using LightSaml.
Finally I used this page
https://www.samltool.com/idp_metadata.php
Be careful with data you put here to generate XML Metadata, check twice if there are the same as in SAMLResponse (and SAMLRequest if you are using SSO SP Initiated). It may cause configuration errors.
I've been provided a metadata.xml file from a client who is using ADFS, and had some questions getting this configured as an external SAML-based IdP. This is going to be integrated with a web application (LAMP stack, if that's relevant).
1) Can I extract the IdP Issuer URI from this xml file? I see entityID in the file, which is something like "http://sts.blablaba.com". Is this the same thing, or is this something I need to get separately from the client? Is this the same as "Relying party trust id"?
2) I see an <X509Certificate> element that looks like a public key. Is this the signing cert i need to verify the saml messages/asserts? Can I just copy/pasta this into a .crt or .pem file? "DigestMethod", "DigestValue" and "SignatureValue" are also present.
3) With an oauth2 flow, for instance, since it starts at the site, i can store redirects in a session, and send users to different pages depending on what they were initially trying to access. It seems like this would be possible with an SP initiated flow, but the client says this is going to be IdP initiated. Is this type of post-login dynamic page redirection still possible, considering that the Relay State looks like a static value?
When initiating a SAML authentication request (from the Service Provider), is there any way to give the Identity Provider the username/email address to set as a default on login screen? I'd like that username to be added in the IdP's username box.
Using SAML 2.0 with OneLogin
I understand this can be done with the information within the AuthnRequest, but I cannot see any way of being able to modify that data.
is there any way to give the Identity Provider the username/email address to set as a default on login screen?
As far as I know, there is no standard way to indicate required attributes as part of a SAML authentication request sent by the SP. If you know this capability exists in the SAML specification, please share a link.
And even so, if hypothetically there was a way to ask for attributes in the authentication requests, that would only suggest to the IdP to consider sending and releasing those attributes back to the app; not that the attribute should be used in the login process/forms. That feature, is entirely implementation specific and depends on your choice of the SAML2 identity provider.
I am writing a SAML SP and can not figure out a uniform way to extract a user's username/login from the SAML response returned by the IdP. It looks like this information can be in a variety of places (NameID, Attribute) from different IdP's, and the IdP metadata does not seem to offer any hints.
Right now, I am using an extra configuration directive containing XPath for retrieving the username, but would like to eliminate this. Is this something I can specify in SP metadata?
It's unrelated to SAML Meta Data, but a proprietary configuration of your SP.
As you stated, you could either use the value of the NamedID or the value of an Attribute Statement. If your SP allows to do SSO with different IdPs this setting could be IdP-entity based. E.g. one IdP may only support the 'transient NameId Format' then you can not use the value as it's an opaque handle which must change all the time. To get some idea you may look at OpenAM's doc, it is using an 'Account Mapper' for this purpose (https://backstage.forgerock.com/docs/openam/13.5/admin-guide/chap-federation#sp-account-mapper)
I have many clients that uses SSO, for that we use SAML 2. Many of my clients uses providers like Okta, PingIdentity and a bunch of them ADFS. Doing the integration with ADFS always at the beginning raises this error when they came back with the SAMLResponse.
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></samlp:StatusCode></samlp:Status>
Im asking to use as name Identifier this:
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
Im pretty new to SAML and I just want to know what is happening on ADFS, since this is just happening with clients that uses that.
Thanks a lot.
By default, ADFS sends the NameId format as "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified". You can adjust it. See: https://social.technet.microsoft.com/wiki/contents/articles/4038.ad-fs-2-0-how-to-request-a-specific-name-id-format-from-a-claims-provider-cp-during-saml-2-0-single-sign-on-sso.aspx
The other way to do this is to identity what attribute needs to be mapped to NameID e.g. email address.
Have a normal LDAP rule for email.
Then have a Transform rule that transforms email to NameID and select the NameID format you need from the drop-down.