===== Persistent NameID ===== ==== context ==== Some SP and vendors wants a particular nameID to authorize acces to their services, ei eduPersonTargetedID as a persistentID . My objective is to be able to send this particular nameID only to specific SPs while still take advantage of a default //nameid-format:transient// for the other majority of SPs , so that I have no need to manage a SGBD to store persistent ID ( ei eduPersonTargeted ) in a DB . reference : * https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration * https://services.renater.fr/federation/docs/installation/idp3/chap11#creer_un_attribut_persistentidedupersontargetedid * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID#NativeSPTargetedID-SAML2.0Attribute * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID ===== nameID ===== ==== saml-nameid.properties ==== configure saml-nameid.properties to set the source attribute of a computed persistent ID [root@idp3 conf]# cat saml-nameid.properties # Properties involving SAML NameIdentifier/NameID generation/consumption # Persistent IDs can be computed on the fly with a hash, or managed in a database # For computed IDs, set a source attribute and a secret salt: idp.persistentId.sourceAttribute = eduPersonPrincipalName idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. idp.persistentId.algorithm = SHA idp.persistentId.salt = secretpasslongenough # To use a database, use shibboleth.StoredPersistentIdGenerator idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator if it fails, setting //idp.service.failFast = true// in //services.properties// force IDP to fail start and showed me a fail on IDP startup with : Caused by: net.shibboleth.utilities.java.support.component.ComponentInitializationException: Service 'shibboleth.NameIdentifierGenerationService': could not perform initial load ry.BeanCreationException: Error creating bean with name 'shibboleth.ComputedPersistentIdGenerator' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Salt must be at least 16 bytes in size the idp.persistentId.salt must be long enough ! then we need to uncommented // // in saml-nameid.xml expecting to get a Persitent nameID format for the targeted SP "https://services.renater.fr/shibboleth" === idp v4 === quite the same as in V3 , except here we choose mail attribute and validate advice to use BASE32 encoding [root@idp4 conf]# vim saml-nameid.properties idp.persistentId.algorithm = SHA idp.persistentId.salt = secretpasslongenough16bytes idp.persistentId.sourceAttribute = mail idp.persistentId.useUnfilteredAttributes = true idp.persistentId.encoding = BASE32 idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator ==== saml-nameid.xml ==== but finally , there's no need to get into CustomNameIDGenerationConfiguration : https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration nor list SPs in activationCondition https://wiki.shibboleth.net/confluence/display/IDP30/ActivationConditions (c:candidates="#{{'https://sp.example.com/shibboleth', 'https://another.example.com/shibboleth'}}" /> below //bean parent="shibboleth.SAML2AttributeSourcedGenerator"// is commented if federation metadata ask explicitly for the correct nameIDs as is the case with entityID="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp" cf metadata below === idp v4 === uncomment bean="shibboleth.SAML2PersistentGenerator" [root@idp4 conf]# vim saml-nameid.xml ==== metada requesting persistendID ==== example md:EntityDescriptor entityID="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp"> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient because NameIDFormat in edugain metadata above, lists //persitent// before //transient// then , no matter the order beans are defined in saml-nameid.xml (here transient before persistent) that's the order in metadata that will decide which one to use . Note also that the SP in question supports the eduPersonTargetedID attribute, oid 1.3.6.1.4.1.5923.1.1.1.10 stands for : eduPersonTargetedID ! (cf https://www.internet2.edu/products-services/trust-identity/mace-registries/internet2-object-identifier-oid-registrations/) ===== attribute eduPersonTargetedID ===== The NameID generation is separate from the attribute resolution. Now that we have the NameID working, we can generate the //eduPersonTargetedID// by modifying attribute-resolver-ldap.xml (attribute-resolver.xml). Here is my configuration: === resolver idp 4 === xml syntaxe changes sligthly : [root@idp4 conf]# vim attribute-resolver-ldap.xml ===== test / validate with aacli ====== aacli.sh is a script that allows us to test locally what the IDP with send as nameIDs and attributes for a specific SP and associated principal (login) . we tes here our persistendID requested by SP and eduPersonTargetedID required : [root@idp3 shibboleth-idp]# ./bin/aacli.sh --requester=https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp --configDir=conf/ --principal=procaccia --saml2 2017-12-19 13:38:33,906 - DEBUG [org.opensaml.saml.saml2.profile.impl.EncryptAssertions:132] - Profile Action EncryptAssertions: Assertion before encryption: https://idp3.tem-tsp.eu/idp/shibboleth cypRgyH6cq0Iifq1UFZGlgCKLDB= https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport procaccia jehan.procaccia@tem-tsp.eu cypRgyH6cq0Iifq1UFZGlgCKLDB= procaccia@tem-tsp.eu 2017-12-19 13:38:34,036 - INFO [Shibboleth-Audit.SSO:241] - 20171219T123834Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_652d7ff66093e86dc79aa45711b99f7dfdcf7a2501|https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.tem-tsp.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_e20f43530af84efaaf7f001d4ecc0f6f|procaccia|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport| uid,mail,eduPersonTargetedID,eduPersonPrincipalName|cypRgyH6cq0Iifq1UFZGlgCKLDA=|_f4d649d8cada1f44d2efa5ff53ff3324| === aacli idp v4 === [root@idp4 shibboleth-idp]# ./bin/aacli.sh --requester=https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp --configDir=conf/ --principal=proc { "requester": "https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp", "principal": "proc", "attributes": [ { "name": "eduPersonTargetedID", "values": [ "RJRXNKY474MMFO27SECRE3DKNTPAKY5V" ] }, { "name": "displayName", "values": [ "Jeh PROC" ] }, { "name": "mail", "values": [ "jeh.proc@em-tsp.eu" ] } ] } ==== idp v4 logs ==== 2022-05-02 22:50:53,593 - 157.159.10.9 - INFO [Shibboleth-Audit.SSO:283] - 157.159.10.9|2022-05-02T20:50:25.379162Z|2022-05-02T20:50:53.593227Z|procac|https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp|_5265b1224215d57621ebc3dd7e2263a5|password|2022-05-02T20:50:41.088993Z|mail,eduPersonTargetedID,displayName|AAdzZWNyZXQxfd6FaL2H/oTzHRhzrhRYxB4SV1aFGDPXSKgf8zyheoU7yyMyorGzsRIiss4rp0v/kQTJARgY693ws9C2ZVVfJ1AguusrwvXlzIDKsXNispCRrjWnL7UOuyXxgfPo1I9EopKzRRcf0HI2RXd9cRI7UQIuuI1ufkrTMS/TzuuSEZzd96bfeUA=|transient|false|true|AES128-CBC|Redirect|POST||Success||d2c06d37c962ed62666b31a6791aaf0a1b27467c8719dcbb865de58ed67b78f5|Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.3