Some SP and vendors wants a particular nameID to authorize acces to their services, ei eduPersonTargetedID as a persistentID . My objective is to be able to send this particular nameID only to specific SPs while still take advantage of a default nameid-format:transient for the other majority of SPs , so that I have no need to manage a SGBD to store persistent ID ( ei eduPersonTargeted ) in a DB .
reference :
configure saml-nameid.properties to set the source attribute of a computed persistent ID
[root@idp3 conf]# cat saml-nameid.properties # Properties involving SAML NameIdentifier/NameID generation/consumption # Persistent IDs can be computed on the fly with a hash, or managed in a database # For computed IDs, set a source attribute and a secret salt: idp.persistentId.sourceAttribute = eduPersonPrincipalName idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. idp.persistentId.algorithm = SHA idp.persistentId.salt = secretpasslongenough # To use a database, use shibboleth.StoredPersistentIdGenerator idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
if it fails, setting idp.service.failFast = true in services.properties force IDP to fail start and showed me a fail on IDP startup with :
Caused by: net.shibboleth.utilities.java.support.component.ComponentInitializationException: Service 'shibboleth.NameIdentifierGenerationService': could not perform initial load ry.BeanCreationException: Error creating bean with name 'shibboleth.ComputedPersistentIdGenerator' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Salt must be at least 16 bytes in size
the idp.persistentId.salt must be long enough !
then we need to uncommented <ref bean=“shibboleth.SAML2PersistentGenerator” /> in saml-nameid.xml expecting to get a Persitent nameID format for the targeted SP “https://services.renater.fr/shibboleth”
quite the same as in V3 , except here we choose mail attribute and validate advice to use BASE32 encoding
[root@idp4 conf]# vim saml-nameid.properties idp.persistentId.algorithm = SHA idp.persistentId.salt = secretpasslongenough16bytes idp.persistentId.sourceAttribute = mail idp.persistentId.useUnfilteredAttributes = true idp.persistentId.encoding = BASE32 idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
but finally , there's no need to get into CustomNameIDGenerationConfiguration : https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration
nor list SPs in activationCondition
https://wiki.shibboleth.net/confluence/display/IDP30/ActivationConditions (c:candidates="#{{'https://sp.example.com/shibboleth', 'https://another.example.com/shibboleth'}}" />
below bean parent=“shibboleth.SAML2AttributeSourcedGenerator” is commented
<!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-- <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" > <property name="activationCondition"> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://services.renater.fr/shibboleth" /> </property> </bean> --> </util:list>
if federation metadata ask explicitly for the correct nameIDs as is the case with entityID=“https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp”
cf metadata below
uncomment bean=“shibboleth.SAML2PersistentGenerator”
[root@idp4 conf]# vim saml-nameid.xml <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <ref bean="shibboleth.SAML2PersistentGenerator" />
example
md:EntityDescriptor entityID="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp"> <md:Extensions> <mdattr:EntityAttributes> <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
because NameIDFormat in edugain metadata above, lists persitent before transient then , no matter the order beans are defined in saml-nameid.xml (here transient before persistent)
<util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <ref bean="shibboleth.SAML2PersistentGenerator" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
that's the order in metadata that will decide which one to use .
Note also that the SP in question supports the eduPersonTargetedID attribute,
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
oid 1.3.6.1.4.1.5923.1.1.1.10 stands for : eduPersonTargetedID ! (cf https://www.internet2.edu/products-services/trust-identity/mace-registries/internet2-object-identifier-oid-registrations/)
The NameID generation is separate from the attribute resolution. Now that we have the NameID working, we can generate the eduPersonTargetedID by modifying attribute-resolver-ldap.xml (attribute-resolver.xml). Here is my configuration:
<resolver:DataConnector xsi:type="dc:ComputedId" id="computedID" generatedAttributeID="computedID" sourceAttributeID="%{idp.persistentId.sourceAttribute}" salt="%{idp.persistentId.salt}"> <resolver:Dependency ref="myLDAP" /> </resolver:DataConnector> <resolver:AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID"> <resolver:Dependency ref="computedID" /> <resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </resolver:AttributeDefinition>
xml syntaxe changes sligthly :
[root@idp4 conf]# vim attribute-resolver-ldap.xml <!-- jeh edupersonTargetedID eduroam monitor --> <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" > <InputDataConnector ref="computed" attributeNames="computedId" /> <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </AttributeDefinition> <!-- jeh edupersonTargetedID eduroam monitor --> <DataConnector id="computed" xsi:type="ComputedId" excludeResolutionPhases="c14n/attribute" generatedAttributeID="computedId" salt="%{idp.persistentId.salt}" algorithm="%{idp.persistentId.algorithm:SHA}" encoding="BASE32"> <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" /> </DataConnector>
aacli.sh is a script that allows us to test locally what the IDP with send as nameIDs and attributes for a specific SP and associated principal (login) . we tes here our persistendID requested by SP and eduPersonTargetedID required :
[root@idp3 shibboleth-idp]# ./bin/aacli.sh --requester=https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp --configDir=conf/ --principal=procaccia --saml2 2017-12-19 13:38:33,906 - DEBUG [org.opensaml.saml.saml2.profile.impl.EncryptAssertions:132] - Profile Action EncryptAssertions: Assertion before encryption: <?xml version="1.0" encoding="UTF-8"?> <saml2:Assertion ID="_f4d649d8cada1f44d2efa5ff53ff3324" IssueInstant="2017-12-19T12:38:33.763Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Issuer>https://idp3.tem-tsp.eu/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp3.tem-tsp.eu/idp/shibboleth" SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp">cypRgyH6cq0Iifq1UFZGlgCKLDB=</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="191.160.129.124" InResponseTo="_652d7ff66093e86dc79aa45711b99f7dfdcf7a2501" NotOnOrAfter="2017-12-19T12:43:33.835Z" Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2017-12-19T12:38:33.763Z" NotOnOrAfter="2017-12-19T12:43:33.763Z"> <saml2:AudienceRestriction> <saml2:Audience>https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2017-12-19T12:38:27.135Z" SessionIndex="_26a4eacab6d659a933907f74b73cf807"> <saml2:SubjectLocality Address="191.160.129.124"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">procaccia</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">jehan.procaccia@tem-tsp.eu</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp3.tem-tsp.eu/idp/shibboleth" SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp">cypRgyH6cq0Iifq1UFZGlgCKLDB=</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">procaccia@tem-tsp.eu</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> 2017-12-19 13:38:34,036 - INFO [Shibboleth-Audit.SSO:241] - 20171219T123834Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_652d7ff66093e86dc79aa45711b99f7dfdcf7a2501|https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.tem-tsp.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_e20f43530af84efaaf7f001d4ecc0f6f|procaccia|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport| uid,mail,eduPersonTargetedID,eduPersonPrincipalName|cypRgyH6cq0Iifq1UFZGlgCKLDA=|_f4d649d8cada1f44d2efa5ff53ff3324|
[root@idp4 shibboleth-idp]# ./bin/aacli.sh --requester=https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp --configDir=conf/ --principal=proc { "requester": "https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp", "principal": "proc", "attributes": [ { "name": "eduPersonTargetedID", "values": [ "RJRXNKY474MMFO27SECRE3DKNTPAKY5V" ] }, { "name": "displayName", "values": [ "Jeh PROC" ] }, { "name": "mail", "values": [ "jeh.proc@em-tsp.eu" ] } ] }
2022-05-02 22:50:53,593 - 157.159.10.9 - INFO [Shibboleth-Audit.SSO:283] - 157.159.10.9|2022-05-02T20:50:25.379162Z|2022-05-02T20:50:53.593227Z|procac|https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp|_5265b1224215d57621ebc3dd7e2263a5|password|2022-05-02T20:50:41.088993Z|mail,eduPersonTargetedID,displayName|AAdzZWNyZXQxfd6FaL2H/oTzHRhzrhRYxB4SV1aFGDPXSKgf8zyheoU7yyMyorGzsRIiss4rp0v/kQTJARgY693ws9C2ZVVfJ1AguusrwvXlzIDKsXNispCRrjWnL7UOuyXxgfPo1I9EopKzRRcf0HI2RXd9cRI7UQIuuI1ufkrTMS/TzuuSEZzd96bfeUA=|transient|false|true|AES128-CBC|Redirect|POST||Success||d2c06d37c962ed62666b31a6791aaf0a1b27467c8719dcbb865de58ed67b78f5|Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.3