Menu
▾
▴
Re: [Unity-idm-discuss] SAML NameID
|
From: Krzysztof B. <kb...@un...> - 2021-10-04 09:55:33
|
Hi Sander, W dniu 01.10.2021 o 07:46, Sander Apweiler pisze: > Good morning Krzysztof, > > On Thu, 2021-09-23 at 12:45 +0200, Krzysztof Benedyczak wrote: >> Hi Sander, >> >> W dniu 23.09.2021 o 07:17, Sander Apweiler pisze: >>> Good morning Krzysztof, >>> good morning Roman, >>> >>> I have two short questions about SAML NameID and unity. In past >>> weeks I >>> got two user tickets because their login with 3rd party IdP failed. >>> In >>> both cases the log showed that the IdP did not use NameID format. >>> Both >>> IdP admins said they didn't change it or didn't send it in past. >>> Became >>> unity here more strikt between 3.3.4 and 3.5.1? >> Well, I don't recall anything clearly related, but it is bit hard to >> say >> without knowing bit wider context. >> >> Do I read this correctly that SAML answer contained NameID without >> specifying the format attribute? - what in general means that the >> format >> is unspecified. >> >> Can you write which element had this nameID? Is it about >> authenticated >> entity? Or the IdP identifier? Unity log would be here also very >> helpful, especially if it contains some error. > I have to check when this happens the next time. >>> One IdP admin reported the NameIdPolicy in AuthRequest is empty, >>> see >>> screenshot. Is this intended? >> AFAIR this is configurable: unity authenticator has "accepted name >> formats" config, and you can have it left empty what would allow any >> format (and the NameIdPolicy you have pasted). > Yes there is config about it and it was empty. But after setting this, > the policy is still empty. > > Here is my IdP config: > > unity.saml.requester.remoteIdp.marine.name=MarineID IdP > unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO > unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT > unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth > unity.saml.requester.remoteIdp.marine.certificate=MARINEID > unity.saml.requester.remoteIdp.marine.translationProfile=tr-input-marineid > unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form > unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false > unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg > unity.saml.requester.remoteIdp.marine.requestedNameFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent > > Do you see some error within? Nope, looks good to me. I just checked something similar and works well on my end. Are you sure that your authenticator was reloaded? I.e. maybe when you tried to test it the endpoint on which this authenticator is installed was not yet refreshed? The safest bet is to undeploy and then redeploy it. Cheers, Krzysztof |
