0

I've set up Shibboleth IDPv3 to test my SP implementation. SP sends a SAML Logon request and the user is presented with the Shibboleth IDP credentials page in which the user enters their Kerberos credentials (I've configured the Loginflow with KerberosAuthNConfiguration). The SAML response comes back with a nameId which has what looks like an encoded value. However, what I want is the NameId element to contain the username that the user used to login to the IDP credentials page.

I had a few attempts by trying to configure the beans in the various XML configuration files without any luck. Has anybody tried something similar is this even possible to achieve ?

pmolyv85
  • 1

1 Answers1

0

If you look in the file saml-nameid.properties you will see the parameter idp.nameid.saml2.default. I suspect that your configuration is set to the default of urn:oasis:names:tc:SAML:2.0:nameid-format:transient which is not an encoded value, but rather a random string.

It sounds like you want to send a "persistent" identifier rather than a transient identifier. To do this,

  1. Change idp.nameid.saml2.default to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
  2. Next, you will need to enable the Persistent NameID Generator in the file saml-nameid.xml.
  3. Finally you need to set the attribute to use in your nameid via the idp.persistentId.sourceAttribute property, also in saml-nameid.properties.

Details on how to do this can be found at the Shibboleth IdP PersistentNameIDGenerationConfiguration page.

rlandster
  • 7,294
  • 14
  • 58
  • 96
  • That makes sense, however, I am still not sure if it is possible to have the NameID populated dynamically by whatever username the user enters to login to the idp credentials page with kerberos after the SAML request has been sent. So, if a user uses credentials testuser, testpass I want the nameId to come back as testuser in the SAML response. – pmolyv85 May 09 '17 at 18:25