NameID in the SAML2.0

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

NameID in the SAML2.0

Fabio Falcone

Hi,

I have OpenAM 10 configured as SAML2.0 IDP. I must configure it so that the IDP passes the user “cn” as NameID in the SAML2.0 response to the SP.


Example:

Now in the SAML Response I have this Name ID

 <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

                         NameQualifier="https://***************"

                         >FQ+kCefsz+UxSImHBsQvDqW9Ir4G</saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"

                                              NotOnOrAfter="2016-04-15T07:04:01Z"

                                              Recipient="*************"

                                              />

         

            <saml:Attribute Name="cn">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                                     xsi:type="xs:string"

                                     >User01</saml:AttributeValue>


I want to have this Named in the Response:

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

                         NameQualifier="https://***************"

                         >User01</saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"

                                              NotOnOrAfter="2016-04-15T07:04:01Z"

                                              Recipient="*************"

                                              />

          

            <saml:Attribute Name="cn">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                                     xsi:type="xs:string"

                                     >User01</saml:AttributeValue>



Is it possible to do so and how?

Thanks


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: NameID in the SAML2.0

Peter Major
The SAML spec only allows opaque values for the NameID element when the
NameID-Format is transient. You should change your NameID-Format to
something else (like unspecified), and then you should be able to use
Name ID Value Mapping settings in your IdP.

cheers,
Peter

2016. 04. 15. 8:15 keltezéssel, Fabio Falcone írta:

> Hi,
>
> I have OpenAM 10 configured as SAML2.0 IDP. I must configure it so that
> the IDP passes the user “cn” as NameID in the SAML2.0 response to the SP.
>
>
> Example:
>
> Now in the SAML Response I have this Name ID
>
> / <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/
>
> /                         NameQualifier="https://***************"/
>
> /                         >/*/FQ+kCefsz+UxSImHBsQvDqW9Ir4G/*/</saml:NameID>/
>
> /            <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">/
>
> /                <saml:SubjectConfirmationData
> InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"/
>
> /
> NotOnOrAfter="2016-04-15T07:04:01Z"/
>
> /                                              Recipient="*************"/
>
> /                                              />/
>
> //
>
> /            <saml:Attribute Name="cn">/
>
> /                <saml:AttributeValue
> xmlns:xs="//http://www.w3.org/2001/XMLSchema//"/
>
> /
>   xmlns:xsi="//http://www.w3.org/2001/XMLSchema-instance//"/
>
> /                                     xsi:type="xs:string"/
>
> /                                     >/*/User01/*/</saml:AttributeValue>/
>
>
> I want to have this Named in the Response:
>
> /<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/
>
> /                         NameQualifier="https://***************"/
>
> /                         >/*/User01/*/</saml:NameID>/
>
> /            <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">/
>
> /                <saml:SubjectConfirmationData
> InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"/
>
> /
> NotOnOrAfter="2016-04-15T07:04:01Z"/
>
> /                                              Recipient="*************"/
>
> /                                              />/
>
> //
>
> /            <saml:Attribute Name="/*/cn/*/">/
>
> /                <saml:AttributeValue
> xmlns:xs="//http://www.w3.org/2001/XMLSchema//"/
>
> /
>   xmlns:xsi="//http://www.w3.org/2001/XMLSchema-instance//"/
>
> /                                     xsi:type="xs:string"/
>
> /                                     >/*/User01/*/</saml:AttributeValue>/
>
>
>
> Is it possible to do so and how?
>
> Thanks
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: NameID in the SAML2.0

Fabio Falcone
In reply to this post by Fabio Falcone

Hi Peter,

I configure the IDP Content in this way:

Immagine incorporata 1



But the Response not change.What did I do wrong?


Thanks



2016-04-15 9:15 GMT+02:00 Fabio Falcone <[hidden email]>:

Hi,

I have OpenAM 10 configured as SAML2.0 IDP. I must configure it so that the IDP passes the user “cn” as NameID in the SAML2.0 response to the SP.


Example:

Now in the SAML Response I have this Name ID

 <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

                         NameQualifier="https://***************"

                         >FQ+kCefsz+UxSImHBsQvDqW9Ir4G</saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"

                                              NotOnOrAfter="2016-04-15T07:04:01Z"

                                              Recipient="*************"

                                              />

         

            <saml:Attribute Name="cn">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                                     xsi:type="xs:string"

                                     >User01</saml:AttributeValue>


I want to have this Named in the Response:

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

                         NameQualifier="https://***************"

                         >User01</saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"

                                              NotOnOrAfter="2016-04-15T07:04:01Z"

                                              Recipient="*************"

                                              />

          

            <saml:Attribute Name="cn">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                                     xsi:type="xs:string"

                                     >User01</saml:AttributeValue>



Is it possible to do so and how?

Thanks



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: NameID in the SAML2.0

Peter Major
Your SP either requests transient NameID-Format in the AuthnRequest, or
the SP metadata lists transient as the first preferred NameID-Format.

2016. 04. 15. 8:52 keltezéssel, Fabio Falcone írta:

> Hi Peter,
>
> I configure the IDP Content in this way:
>
> Immagine incorporata 1
>
>
>
> But the Response not change.What did I do wrong?
>
>
> Thanks
>
>
>
> 2016-04-15 9:15 GMT+02:00 Fabio Falcone <[hidden email]
> <mailto:[hidden email]>>:
>
>     Hi,
>
>     I have OpenAM 10 configured as SAML2.0 IDP. I must configure it so
>     that the IDP passes the user “cn” as NameID in the SAML2.0 response
>     to the SP.
>
>
>     Example:
>
>     Now in the SAML Response I have this Name ID
>
>     / <saml:NameID
>     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/
>
>     /                         NameQualifier="https://***************"/
>
>     /
>       >/*/FQ+kCefsz+UxSImHBsQvDqW9Ir4G/*/</saml:NameID>/
>
>     /            <saml:SubjectConfirmation
>     Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">/
>
>     /                <saml:SubjectConfirmationData
>     InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"/
>
>     /
>     NotOnOrAfter="2016-04-15T07:04:01Z"/
>
>     /
>     Recipient="*************"/
>
>     /                                              />/
>
>     //
>
>     /            <saml:Attribute Name="cn">/
>
>     /                <saml:AttributeValue
>     xmlns:xs="//http://www.w3.org/2001/XMLSchema//"/
>
>     /
>       xmlns:xsi="//http://www.w3.org/2001/XMLSchema-instance//"/
>
>     /                                     xsi:type="xs:string"/
>
>     /
>       >/*/User01/*/</saml:AttributeValue>/
>
>
>     I want to have this Named in the Response:
>
>     /<saml:NameID
>     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/
>
>     /                         NameQualifier="https://***************"/
>
>     /                         >/*/User01/*/</saml:NameID>/
>
>     /            <saml:SubjectConfirmation
>     Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">/
>
>     /                <saml:SubjectConfirmationData
>     InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"/
>
>     /
>     NotOnOrAfter="2016-04-15T07:04:01Z"/
>
>     /
>     Recipient="*************"/
>
>     /                                              />/
>
>     //
>
>     /            <saml:Attribute Name="/*/cn/*/">/
>
>     /                <saml:AttributeValue
>     xmlns:xs="//http://www.w3.org/2001/XMLSchema//"/
>
>     /
>       xmlns:xsi="//http://www.w3.org/2001/XMLSchema-instance//"/
>
>     /                                     xsi:type="xs:string"/
>
>     /
>       >/*/User01/*/</saml:AttributeValue>/
>
>
>
>     Is it possible to do so and how?
>
>     Thanks
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: NameID in the SAML2.0

Fabio Falcone
In reply to this post by Fabio Falcone
Peter,

in my metadata i have this:

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

and in the SP Assertion Content this:









Immagine incorporata 1




Thanks,

--Fabio

2016-04-15 9:52 GMT+02:00 Fabio Falcone <[hidden email]>:

Hi Peter,

I configure the IDP Content in this way:

Immagine incorporata 1



But the Response not change.What did I do wrong?


Thanks



2016-04-15 9:15 GMT+02:00 Fabio Falcone <[hidden email]>:

Hi,

I have OpenAM 10 configured as SAML2.0 IDP. I must configure it so that the IDP passes the user “cn” as NameID in the SAML2.0 response to the SP.


Example:

Now in the SAML Response I have this Name ID

 <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

                         NameQualifier="https://***************"

                         >FQ+kCefsz+UxSImHBsQvDqW9Ir4G</saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"

                                              NotOnOrAfter="2016-04-15T07:04:01Z"

                                              Recipient="*************"

                                              />

         

            <saml:Attribute Name="cn">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                                     xsi:type="xs:string"

                                     >User01</saml:AttributeValue>


I want to have this Named in the Response:

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

                         NameQualifier="https://***************"

                         >User01</saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="_c6536eb1190f03f62a28443c2b920e414ff15287"

                                              NotOnOrAfter="2016-04-15T07:04:01Z"

                                              Recipient="*************"

                                              />

          

            <saml:Attribute Name="cn">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                                     xsi:type="xs:string"

                                     >User01</saml:AttributeValue>



Is it possible to do so and how?

Thanks




_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam