We are trying to do a single setup with Shibboleth Identity Provider 3 and 1 service.
We have configured the Shibboleth IDP3 to use the OpenLDAP service that we are running. This is working as authentication is succesful. (see green underlined part image). This is with a user we created in the LDAP who is named 'test'.
Now the problem is that the entire transaction fails because we seem to lack a nameid in our SAML response.
We have made multiple attempts to fix this, here are some of the changes we tried.
In attribute-resolver-ldap.xml we added:
<resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</resolver:AttributeDefinition>
In attribute-resolver.xml we added an attributedefinition and a dataconnector as follows:
<!--
Attribute definition that expects to get the 'email' attribute from the ldap connector
defined as its dependency and encode it as a SAML 2 name identifier.
-->
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="googleNameID"
sourceAttributeID="cn">
<!--
The data connector expected to provide the source attribute, email. Note how the
value of the 'ref' attribute is the identifier given to the LDAP data connector.
-->
<resolver:Dependency ref="ldap" />
<!-- Encoder that transforms the attribute into a SAML2 NameID -->
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</resolver:AttributeDefinition>
dataconnector (the <..> values are filled in correctly):
<!-- An LDAP connector that pulls in, at least, an attribute called email. -->
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="ldap"
ldapURL="ldap://localhost:389"
baseDN="dc=<FIRSTDC>,dc=<SECONDDC>"
principal="cn=admin,dc=<FIRSTDC>,dc=<SECONDDC>"
principalCredential="<PASS>">
<FilterTemplate>
<![CDATA[
(cn=test)
]]>
</FilterTemplate>
</resolver:DataConnector>
In the saml-nameid.xml file we added a nameIDgenerator (we did this for both SAML1 and 2):
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
In our ldap.properties file we assume we have configured everything correctly as the authentication itself works fine.
The error at the service side is that it can't process the SAML message:
Caused by: org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration
There could be many reason for this. There are some issues I could see in the configuration you have provided:
In attribute-resolver.xml, you have defined AttributeDefinition ID as id="googleNameID" while AttributeSourceIDs in saml-nameid.xml is set as p:attributeSourceIds="#{ {'mail'} }". These IDs should be exactly same. Change your AttributeDefinition in attribute-resolver.xml to:
<resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="mail" sourceAttributeID="cn">
<resolver:Dependency ref="ldap" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="mail" friendlyName="mail"/>
</resolver:AttributeDefinition>
In conf/saml-nameid.properties, uncomment and set default NameID as EmailAddress like this:
idp.nameid.saml2.default = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
You have not defined any Attribute Filter Policy. Add the following to the conf/attribute-filter.xml:
<afp:AttributeFilterPolicy id="ldapAttributes">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
Related
I have a logic app in Azure. The trigger is to check when an email arrives into a specific folder in a mailbox. An email may contain 1 or more attachments.
Once triggered, I have an HTTP request that gets sent to a SOAP service. The idea is that I want to check if the filename exists at the SOAP Service.
Its all working perfectly, with the exception, when I reference the filename from the trigger, it includes the file extension. I need to somehow ignore the ".PDF" part of the filename
Below is the XML I post to the SOAP service. Lets say the filename is 12345.pdf, then I need /UniversalEvent/Event/ContextCollection/Context/Value to = "12345" and not "12345.pdf":
<UniversalEvent xmlns="http://www.cargowise.com/Schemas/Universal/2011/11" version="1.1">
<Event>
<DataContext>
<DataTargetCollection>
<DataTarget>
<Type>ForwardingShipment</Type>
</DataTarget>
</DataTargetCollection>
</DataContext>
<EventTime>#{utcNow()}</EventTime>
<EventType>Z77</EventType>
<EventReference>Requesting Shipment ID</EventReference>
<IsEstimate>false</IsEstimate>
<ContextCollection>
<Context>
<Type>HAWBNumber</Type>
<Value>#{items('For_each')?['name']}</Value>
</Context>
</ContextCollection>
</Event>
</UniversalEvent>
do you have any suggestions on what function to use to achieve this?
You can change the expression #{items('For_each')?['name']} in your xml to:
#{substring(items('For_each')?['name'], 0, indexOf(items('For_each')?['name'], '.'))}
UPDATE
I found that if I add a trusted cert to SPOptions.ServiceCertificates and set SPOptions.AuthenticateRequestSigningBehavior = Sustainsys.Saml2.Configuration.SigningBehavior.IfIdpWantAuthnRequestsSigned; and set IdentityProvider.WantAuthnRequestsSigned = true, the signature element is included.
Original Question:
Having troubles connecting to an IDP with the following AuthnRequest:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="idf299bf8aa08542d193e022cb047e5ecc" Version="2.0" IssueInstant="2019-07-23T00:10:13Z" Destination="https://example-idp.com" AssertionConsumerServiceURL="https://example-sp.com/Acs">
<saml2:Issuer>https://example-sp.com</saml2:Issuer>
</saml2p:AuthnRequest>
The IDP says: "SignatureStatus: NOT_PRESENT". I'm guessing that means that the authnrequest should have a <ds:Signature section? If so, how do I configure Sustainsys.Saml2.AspNetCore2 to include it?
The metadata xml I received from the idp contains a <ds:Signature section, but looking at the source code for Sustainsys.Saml2.AspNetCore2, it looks like that part of the metadata gets ignored when deserializing?
I'm not very familiar with the internals of SAML, so sorry if this is a silly question.
You'll want to generate a self-signed .pfx file that contains both your public cert and private key. We use azure key vault, but you could also use openssl. Lots of resources that explain how to generate one of those and load it into a c# X509Certificate2 instance.
Once you have an instance of X509Certificate2, set options.SPOptions.AuthenticateRequestSigningBehavior = Sustainsys.Saml2.Configuration.SigningBehavior.IfIdpWantAuthnRequestsSigned;
And set IdentityProvider.WantAuthnRequestsSigned = true.
And then add the X509Certificate2 instance like so: options.SPOptions.ServiceCertificates.Add(myX509Certificate2);
Then run your app and start the SAML SSO process. You can use hookbin or the like to see what it sends in the AuthnRequest for SAMLRequest. You can extract the xml from that by url decoding it and then base64 decoding it like so in javascript, for instance to confirm signature xml is set and correct: atob(decodeURIComponent(samlRequestValue))
Hi earlier we were using below authorizationEntry to access(read/write) queues starting with "queue.".
Corresponding entry from activemq.xml
<authorizationEntry queue="queue.>"
read="test" write="test" admin="test" />
As per the latest requirement from client(External system), is there a possibility to access queues starting with "queue.".without credentials(username/password)
please let us know what changes we have to make in activemq.xml or configuration to achieve the same i.e., access queues without credentials
These queues are used in routes created using apache-camel ,spring DSL language
as said in doc :
To allow anonymous access to the broker, use anonymousAccessAllowed
attribute and set it to true as shown above. Now, when the client
connects without username and password provided, a default username
(anonymous) and group (anonymous) will be assigned to its security
context. You can use this username and password to authorize client's
access to appropriate broker resources (see the next section). You can
also change username and group that will be assigned to anonymous
users by using anonymousUser and anonymousGroup attributes.
src http://activemq.apache.org/security.html#Security-Anonymousaccess
so i think this can do the stuff
<simpleAuthenticationPlugin anonymousAccessAllowed="true">
<users>
<authenticationUser username="system" password="manager" groups="users,admins" />
<authenticationUser username="user" password="password" groups="users" />
<authenticationUser username="guest" password="password" groups="guests" />
<authenticationUser username="test" password="test" groups="test" />
</users>
</simpleAuthenticationPlugin>
<authorizationEntry queue="queue.>" read="test,anonymous" write="test,anonymous" admin="test,anonymous" />
if you use Advisory you have to add authorized groups to create Advisory topics :
<authorizationEntry topic="ActiveMQ.Advisory.>" read="anonymous" write="anonymous" admin="anonymous"/>
I'm trying to configure Windows Server 2012 r2 ADFS 3.0 to send the NameID to Shibboleth 2.6 SAML 2.0 SP, but I keep on getting these errors:
2016-11-15 10:07:07 WARN Shibboleth.AttributeResolver.Query [1]: can't attempt attribute query, either no NameID or no metadata to use
2016-11-15 10:07:07 INFO Shibboleth.SessionCache [1]: new session created: ID (_7e425978e43bc32c86393f518b26eb3e) IdP (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (192.168.50.131)
I understand that this has something to do about passing the NameID attribute from the ADFS IDP and displaying the nameID in Shibboleth SAML 2.0 SP.
I've also read that you need to set a rule in ADFS IDP to pass the Email Address, and transform the Email address to become a NameID. I have done that, and have these rules:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
However, I have observed that the configuration seems compatible only with SAML 1.0, but not 2.0 (maybe).
So, I went on by adding the name attributes. I tried transient, persistent, and emailAddress, and trying both SAML 1.0 and SAML 2.0 configurations.
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" id="NameID"/>
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="NameID"/>
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="NameID"/>
Question:
So, what is the proper way of configuring ADFS IDP to send the NameID to the Shibboleth SP and display the Session attribute when going to my application Session page?
Specifically, what is the proper output for Claim Rules that I should expect? and how should the XML configuration for Shibboleth attribute-map.xml look like?
https://c-app01.contoso.com/Shibboleth.sso/Session
Solution:
The solution is to create two rules inside "Issuance Transform Rules" tab in the Relying Party. Here are the Rules to be set:
Add a Rule to Send LDAP Attributes as Claims
Add a Rule to Transform an Incoming Claim
Also, make sure that Permit Access to All Users is inside Issuance Authorization Rules tab.
Instructions:
Add a Rule to Send LDAP Attributes as Claims:
Claim Rule Name: Email
Attribute Store: Active Directory
Mapping of LDAP: E-mail-Address to E-mail Address
This will map the Email address.
Add a rule to Transform An Incoming Claim:
Claim rule name: EmailToNameID
Incoming Claim Type: E-Mail Address
Outgoing Claim Type: Name ID
Outgoing Name ID Format: Email
Make sure "Pass Through Claim Values" is selected.
The setting above for "Transform An Incoming Claim" will give you the following claim rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
After that, you may configure the attribute-map.xml like so:
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="Email"/>
My Mistake:
I found out that every setting in my Claims Rules is correct, except that the rules for Email and EmailToNameID should be under the Issuance Transform Rules Tab of the Relying Party.
I'm getting error message in Novell iManager "The XML is malformed. cvc-complex-type.2.4.a: Invalid content was found starting with element 'md:EncryptionMethod'. One of '{"http://www.w3.org/2000/09/xmldsig#":KeyInfo}' is expected." when add this service provider metadata:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="https://.../" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true" AuthnRequestsSigned="true">
<md:KeyDescriptor use="encryption">
<md:EncryptionMethod xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data><X509Certificate>...</X509Certificate></X509Data>
</KeyInfo>
</md:KeyDescriptor>
<md:AssertionConsumerService isDefault="true" index="0" Location="https://.." Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
</md:SPSSODescriptor>
<md:Organization>...</md:Organization>
...
</md:EntityDescriptor>
What I do in Novell iManager: IdentityServers -> AH DMZ Identity Server -> New Trusted Provider -> Service Provider -> Source: Metadata Text
The strange thing is that it complains on lack of KeyInfo element while it's here with the correct namespace. Any idea why it might be?
If I specify third-party metadata from here: https://federation.njedge.net/metadata/njedge-fed-metadata.xml it says
"The XML is malformed.
cvc-complex-type.2.4.a: Invalid content was found starting with element 'Organization'. One of '{"http://www.w3.org/2000/09/xmldsig#":Signature, "urn:oasis:names:tc:SAML:2.0:metadata":Extensions, "urn:oasis:names:tc:SAML:2.0:metadata":RoleDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":IDPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":SPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AuthnAuthorityDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AttributeAuthorityDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":PDPDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AffiliationDescriptor}' is expected.
"
Looks like it expects some service provider specific metadata file format, and unfortunately I was unable to find any information about different formats of SAML 2.0 metadata.
Loos like there were 2 issues:
1) Novell expects strict order of elements
2) It does not recognize default namespace like <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> instead use <somenamespace:KeyInfo xmlns:somenamespace="http://www.w3.org/2000/09/xmldsig#">
weird :)