Discussion:
where is transientId in SAML assertion
David Bantz
2014-09-22 22:02:35 UTC
Permalink
Elementary question:
where, in the IdP’s SAML assertion, is the transientId <https://wiki.shibboleth.net/confluence/display/SHIB2/IdPTransientNameIdentifier> ("released to anyone” as recommended)?

Is it the ID in the assertion... NameID in the Subject portion ?

from process log:

11:40:34.099 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute transientId which may be encoded as a name identifier of format urn:mace:shibboleth:1.0:nameIdentifier
11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute oktanameid which may be encoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:690]
- Selecting attribute to be encoded as a name identifier by encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:717]
- Selecting the first attribute that can be encoded in to a name identifier
11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501]
- Name identifier for relying party 'https://••••' will be built from attribute 'transientId'
11:40:34.101 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868]
- Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'https://••••••'

SAML assertion fragments:

<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://••••" ID="_5a83f3c5e2d3e9f6eb30a6fbcc98f1cc" IssueInstant="2014-09-22T21:39:45.977Z" Version="2.0”>…

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ade790abe4f75d0b979b039ce18912ea" IssueInstant="2014-09-22T21:39:45.977Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema”>...

<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="urn:mace:incommon:alaska.edu" SPNameQualifier="urn:amazon:webservices">_59ddcabea831dd654d8a75364ac70492</saml2:NameID>...
Christopher Bongaarts
2014-09-22 22:04:30 UTC
Permalink
Yes (the value is "_59dd...0492".)
where, in the IdP's SAML assertion, is the transientId
<https://wiki.shibboleth.net/confluence/display/SHIB2/IdPTransientNameIdentifier>
("released to anyone" as recommended)?
Is it the ID in the assertion... NameID in the Subject portion ?
11:40:34.099 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute transientId which may be encoded as a name
identifier of format urn:mace:shibboleth:1.0:nameIdentifier
11:40:34.100 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute oktanameid which may be encoded as a name
identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
11:40:34.100 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:690]
- Selecting attribute to be encoded as a name identifier by encoder of
type
edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
11:40:34.100 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:717]
- Selecting the first attribute that can be encoded in to a name identifier
11:40:34.100 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501]
- Name identifier for relying party 'https://....' will be built from
attribute 'transientId'
11:40:34.101 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868]
- Using attribute 'transientId' supporting NameID format
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the
NameID for relying party 'https://......'
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://...." ID="_5a83f3c5e2d3e9f6eb30a6fbcc98f1cc"
IssueInstant="2014-09-22T21:39:45.977Z" Version="2.0">...
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_ade790abe4f75d0b979b039ce18912ea"
IssueInstant="2014-09-22T21:39:45.977Z" Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
<http://www.w3.org/2001/XMLSchema%3F>>...
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="urn:mace:incommon:alaska.edu"
SPNameQualifier="urn:amazon:webservices">_59ddcabea831dd654d8a75364ac70492</saml2:NameID>...
--
%% Christopher A. Bongaarts %% cab-***@public.gmane.org %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
Christopher Bongaarts
2014-09-22 22:05:59 UTC
Permalink
Err, "yes" to the latter part (Subject->NameID).
Post by Christopher Bongaarts
Yes (the value is "_59dd...0492".)
where, in the IdP's SAML assertion, is the transientId
<https://wiki.shibboleth.net/confluence/display/SHIB2/IdPTransientNameIdentifier>
("released to anyone" as recommended)?
Is it the ID in the assertion... NameID in the Subject portion ?
--
%% Christopher A. Bongaarts %% cab-***@public.gmane.org %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
David Bantz
2014-09-24 21:53:35 UTC
Permalink
So the transientId is in the NameID in Subject of the SAML assertion in the example I previously sent.
Thanks Chris.

A different vendor is unable to properly interpret the SAML assertion from my IdP,
and I haven’t been able to fathom why not, but notice that despite parallel
debug log entries that transientId will be used to construct NameID, a corresponding
NameID is not in the Subject. Instead there’s an EncryptedID.

[We know I’m sending the required attributes to the right end point at the vendor SP, but
alas, the vendor’s support staff have no access to any logs on their side of the transaction,
and they have no example of a SAML assertion that works with their SP,
so I’m floundering on what might be wrong and I might need to change. The vendor
is Blackboard Transact and eAccounts.]



10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute transientId which may be encoded as a name identifier of format urn:mace:shibboleth:1.0:nameIdentifier
10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute oktanameid which may be encoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:690]
- Selecting attribute to be encoded as a name identifier by encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:717]
- Selecting the first attribute that can be encoded in to a name identifier
10:13:00.500 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501]
- Name identifier for relying party 'https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt' will be built from attribute 'transientId'
10:13:00.501 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868]
- Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'https://sp...
10:13:00.501 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:733]
- Attempting to encrypt NameID to relying party 'https://sp...'

10:13:00.518 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:279]
- Assertion to be encrypted is:

<?xml version="1.0" encoding="UTF-8”?>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8af127d6c08c145ea4d685a6d7b15935" IssueInstant="2014-09-24T18:13:00.497Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:incommon:alaska.edu</saml2:Issuer>

<saml2:Subject>
<saml2:EncryptedID>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_534e2d085ea251250b2c002dd8145e0c" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="_b20ce7ab579b8187fbb9317730046e00" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>…………</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>…………</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedID>
…
</saml2:Subject>


the audit log affirms that transientId was sent:

20140924T181300Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_A5769940A111B3384C7CB42D7DD85A86|https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt|urn:mace:shibboleth:2.0:profiles:saml2:sso|urn:mace:incommon:alaska.edu|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_102ff00baad293c853ccee7284f68bf6|djdewolfe|urn:oasis:names:tc:SAML:2.0:ac:classes:Password|BbTLastName,transientId,BbTFirstName,BbTemail,BbTusername,BbTbannerID,oktanameid,|_bb39377c01d1057a84575052456c6a20||
Post by Christopher Bongaarts
Yes (the value is "_59dd...0492".)
Post by David Bantz
where, in the IdP’s SAML assertion, is the transientId <https://wiki.shibboleth.net/confluence/display/SHIB2/IdPTransientNameIdentifier> ("released to anyone” as recommended)?
Is it the ID in the assertion... NameID in the Subject portion ?
11:40:34.099 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute transientId which may be encoded as a name identifier of format urn:mace:shibboleth:1.0:nameIdentifier
11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585]
- Retaining attribute oktanameid which may be encoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:690]
- Selecting attribute to be encoded as a name identifier by encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:717]
- Selecting the first attribute that can be encoded in to a name identifier
11:40:34.100 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501]
- Name identifier for relying party 'https://••••' will be built from attribute 'transientId'
11:40:34.101 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868]
- Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'https://••••••'
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://••••" ID="_5a83f3c5e2d3e9f6eb30a6fbcc98f1cc" IssueInstant="2014-09-22T21:39:45.977Z" Version="2.0”>…
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ade790abe4f75d0b979b039ce18912ea" IssueInstant="2014-09-22T21:39:45.977Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema”>...
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="urn:mace:incommon:alaska.edu" SPNameQualifier="urn:amazon:webservices">_59ddcabea831dd654d8a75364ac70492</saml2:NameID>...
--
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
--
Kevin Foote
2014-09-24 23:22:56 UTC
Permalink
Post by David Bantz
A different vendor is unable to properly interpret the SAML assertion from my IdP,
and I haven’t been able to fathom why not, but notice that despite parallel
debug log entries that transientId will be used to construct NameID, a corresponding
NameID is not in the Subject. Instead there’s an EncryptedID.
David,

Check your relying-party.xml for the ProfileConfiguration of the profile you are using, presumably SAML2SSOProfile
Is this set? encryptNameIds=“conditional”
And what is their end asking for?


--------
thanks
kevin.foote
--
To unsubscribe from this list send an email to users-***@shibboleth.net
Brent Putman
2014-09-25 00:20:35 UTC
Permalink
Post by Kevin Foote
Post by David Bantz
A different vendor is unable to properly interpret the SAML assertion from my IdP,
and I haven’t been able to fathom why not, but notice that despite parallel
debug log entries that transientId will be used to construct NameID, a corresponding
NameID is not in the Subject. Instead there’s an EncryptedID.
David,
Check your relying-party.xml for the ProfileConfiguration of the profile you are using, presumably SAML2SSOProfile
Is this set? encryptNameIds=“conditional”
And what is their end asking for?
Right, David's encryptNameIds param must be set to "conditional" or
"always". If the RP doesn't support encrypted NameID's (few probably
do), then you want to set that to "never". For the record, the
out-of-the-box default for all profiles is encryptNameIds="never".


And, based on your log info, you are actually sending a transient ID,
it's just encrypted. Those are orthogonal concepts.
--
To unsubscribe from this list send an email to users-***@shibboleth.net
Loading...