Michael Dahlberg
2014-08-26 17:29:35 UTC
I'm having a problem getting my IdP to provide the correct attributes to a
SP (maps.arcgis.com)
I've configured my IdP to release the userPrincipalName
<resolver:AttributeDefinition xsi:type="ad:Simple" id="userPrincipalName"
sourceAttributeID="userPrincipalName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
</resolver:AttributeDefinition>
and, by default, the transientId is released as well:
<resolver:AttributeDefinition id="transientId"
xsi:type="ad:TransientId">
<resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
<resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</resolver:AttributeDefinition>
Configured in this manner, authentication occurs without a problem.
However, the site uses the transientId as the username. Obviously, this
is a problem because the work that a given user does is not available to
him/her on subsequent logins.
If I disable the release of the transientId by applying the following
Attribute Rule to this site's Attribute Filter Policy
<afp:AttributeRule attributeID="transientId">
<afp:DenyValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
authentication does not occur and I'm presented with the error "Unable to
login using Idp 'NAME_ID' not found in SAML response".
Is there any way I can create an attribute like the transientId that will
include 'NAME_ID' (not sure what that is) that I can then pass to the SP
with a consistent, easily recognizable value? Or am I approaching this in
the wrong manner?
Thanks,
Mike
SP (maps.arcgis.com)
I've configured my IdP to release the userPrincipalName
<resolver:AttributeDefinition xsi:type="ad:Simple" id="userPrincipalName"
sourceAttributeID="userPrincipalName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
</resolver:AttributeDefinition>
and, by default, the transientId is released as well:
<resolver:AttributeDefinition id="transientId"
xsi:type="ad:TransientId">
<resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
<resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</resolver:AttributeDefinition>
Configured in this manner, authentication occurs without a problem.
However, the site uses the transientId as the username. Obviously, this
is a problem because the work that a given user does is not available to
him/her on subsequent logins.
If I disable the release of the transientId by applying the following
Attribute Rule to this site's Attribute Filter Policy
<afp:AttributeRule attributeID="transientId">
<afp:DenyValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
authentication does not occur and I'm presented with the error "Unable to
login using Idp 'NAME_ID' not found in SAML response".
Is there any way I can create an attribute like the transientId that will
include 'NAME_ID' (not sure what that is) that I can then pass to the SP
with a consistent, easily recognizable value? Or am I approaching this in
the wrong manner?
Thanks,
Mike