We are trying to do a single setup with Shibboleth Identity Provider 3 and 1 service.
We have configured the Shibboleth IDP3 to use the OpenLDAP service that we are running. This is working as authentication is succesful. (see green underlined part image). This is with a user we created in the LDAP who is named 'test'.
Now the problem is that the entire transaction fails because we seem to lack a nameid in our SAML response.
We have made multiple attempts to fix this, here are some of the changes we tried.
In attribute-resolver-ldap.xml we added:
<resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</resolver:AttributeDefinition>
In attribute-resolver.xml we added an attributedefinition and a dataconnector as follows:
<!--
Attribute definition that expects to get the 'email' attribute from the ldap connector
defined as its dependency and encode it as a SAML 2 name identifier.
-->
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="googleNameID"
sourceAttributeID="cn">
<!--
The data connector expected to provide the source attribute, email. Note how the
value of the 'ref' attribute is the identifier given to the LDAP data connector.
-->
<resolver:Dependency ref="ldap" />
<!-- Encoder that transforms the attribute into a SAML2 NameID -->
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</resolver:AttributeDefinition>
dataconnector (the <..> values are filled in correctly):
<!-- An LDAP connector that pulls in, at least, an attribute called email. -->
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="ldap"
ldapURL="ldap://localhost:389"
baseDN="dc=<FIRSTDC>,dc=<SECONDDC>"
principal="cn=admin,dc=<FIRSTDC>,dc=<SECONDDC>"
principalCredential="<PASS>">
<FilterTemplate>
<![CDATA[
(cn=test)
]]>
</FilterTemplate>
</resolver:DataConnector>
In the saml-nameid.xml file we added a nameIDgenerator (we did this for both SAML1 and 2):
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
In our ldap.properties file we assume we have configured everything correctly as the authentication itself works fine.
The error at the service side is that it can't process the SAML message:
Caused by: org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration
