Menu
▾
▴
Re: [Unity-idm-discuss] SAML NameID
|
From: Sander A. <sa....@fz...> - 2021-10-01 05:46:19
|
Good morning Krzysztof, On Thu, 2021-09-23 at 12:45 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 23.09.2021 o 07:17, Sander Apweiler pisze: > > Good morning Krzysztof, > > good morning Roman, > > > > I have two short questions about SAML NameID and unity. In past > > weeks I > > got two user tickets because their login with 3rd party IdP failed. > > In > > both cases the log showed that the IdP did not use NameID format. > > Both > > IdP admins said they didn't change it or didn't send it in past. > > Became > > unity here more strikt between 3.3.4 and 3.5.1? > > Well, I don't recall anything clearly related, but it is bit hard to > say > without knowing bit wider context. > > Do I read this correctly that SAML answer contained NameID without > specifying the format attribute? - what in general means that the > format > is unspecified. > > Can you write which element had this nameID? Is it about > authenticated > entity? Or the IdP identifier? Unity log would be here also very > helpful, especially if it contains some error. I have to check when this happens the next time. > > > One IdP admin reported the NameIdPolicy in AuthRequest is empty, > > see > > screenshot. Is this intended? > > AFAIR this is configurable: unity authenticator has "accepted name > formats" config, and you can have it left empty what would allow any > format (and the NameIdPolicy you have pasted). Yes there is config about it and it was empty. But after setting this, the policy is still empty. Here is my IdP config: unity.saml.requester.remoteIdp.marine.name=MarineID IdP unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth unity.saml.requester.remoteIdp.marine.certificate=MARINEID unity.saml.requester.remoteIdp.marine.translationProfile=tr-input-marineid unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg unity.saml.requester.remoteIdp.marine.requestedNameFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Do you see some error within? Cheers, Sander > > HTH, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
