3

I'm developing a SSO using simpleSAMLphp.

I configured correctly the service provider and the IdP, but I have to send the XML to the SP with a NameID in a specific format.

How can I perform this? In the metadata? or can I do it through the code?

Thanks,

Anthony
  • 36,459
  • 25
  • 97
  • 163
JokiRuiz
  • 311
  • 3
  • 12
  • Could you be a bit more vague? Are you saying the Service Provider expects the XML with the name id formatted but you don't know how to format the nameid value? – Anthony Jul 14 '14 at 08:26
  • Does it have anything to do with the `NameIDFormat` mentioned in their docs? https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote – Anthony Jul 14 '14 at 08:31
  • Exactly Anthony, I have to pass to the Service Provider the NameID in this format: "key1:value1; key2:value2" And I'm not sure where should I change this from the Identity provider. It's my first time using this authentication method. – JokiRuiz Jul 14 '14 at 08:32
  • There is also this : https://simplesamlphp.org/docs/stable/saml:nameid It would help your question quite a bit if you could give some indication of what you have control over. How do you get the values in the NameID before handing them off? where do you hand them off? Why can't you format before the hand off? what are the actual values in the nameID corresponding to? Who is the SP/The SP's base library? Maybe there is a name for this format and the library automatically knows to use that format when specified. Maybe it's a known quirk with the SP that is special etc etc. – Anthony Jul 14 '14 at 08:39

3 Answers3

3

I sorted already, I post the solution below:

In the IdP authsources config file: 

'idp-name' => array(
...
'message' => 'key1:'.$value1.';key2:'.$value2,
...
),

And in the metadata of the Service Provider (saml20-sp-remote.php):

...
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:persistent',
'simplesaml.nameidattribute' => 'message',
...

Then in your code you only have to specify $value1 and $value2 before doing the authentication.

Thanks to Anthony for the help.

JokiRuiz
  • 311
  • 3
  • 12
3

In the metadata/saml20-idp-hosted, add this configuration :

```
  /* Custom nameID */
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',     
  'authproc' => array(
    3 => array(
    'class' => 'saml:AttributeNameID',            
    'attribute' => 'uid',                 
    'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',              
    ),
  ),
```

You'll receive in the SAML Response assertion :

```
<saml:Subject>
<saml:NameID SPNameQualifier="http://127.0.0.1:8080/auth/realms/external"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
>student</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2020-10-07T12:12:25Z"
Recipient="http://127.0.0.1:8080/auth/realms/external/broker/simplesaml/endpoint"
InResponseTo="ID_8c4e1542-b034-4e42-93db-cec8de2e76e4"
/>
</saml:SubjectConfirmation>
</saml:Subject>
```
Dharman
  • 30,962
  • 25
  • 85
  • 135
yoborider
  • 51
  • 2
0

This may be an old question, but when I recently ran into this issue, I thought I could simply edit saml20-sp-remote.php and change the nameid-format to whatever I needed. I needed to change mine from transient to persistent sisnce my SP was expecting that. Simply replacing "transient" with "persistent" won't work. The nameidattribute value must be changed as well. What I had there was 'SAML_SUBJECT' instead of NameID. In my saml20-sp-remote.php, the attributes section looks as follows: 'attributes' => array ( 0 => 'SAML_SUBJECT', 1 => 'NameID', 2 => 'ClientID', 3 => 'FirstName', 4 => 'LastName', 5 => 'Email', ), Once my nameidattibute value was changed to NameID, instead of SAML_SUBJECT which was my default, I was able to use persistent nameid-format. Hope this helps someone.

Blackbam
  • 17,496
  • 26
  • 97
  • 150
Pius
  • 31
  • 2