Menu
▾
▴
Re: [Unity-idm-discuss] SAML NameID
|
From: Sander A. <sa....@fz...> - 2021-10-05 07:06:25
|
Good morning Krzysztof, I restarted unity, so it should be loaded. I set it via UI but after a restart this morning it was not loaded again. Cheers, Sander On Mon, 2021-10-04 at 11:55 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 01.10.2021 o 07:46, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > On Thu, 2021-09-23 at 12:45 +0200, Krzysztof Benedyczak wrote: > > > Hi Sander, > > > > > > W dniu 23.09.2021 o 07:17, Sander Apweiler pisze: > > > > Good morning Krzysztof, > > > > good morning Roman, > > > > > > > > I have two short questions about SAML NameID and unity. In past > > > > weeks I > > > > got two user tickets because their login with 3rd party IdP > > > > failed. > > > > In > > > > both cases the log showed that the IdP did not use NameID > > > > format. > > > > Both > > > > IdP admins said they didn't change it or didn't send it in > > > > past. > > > > Became > > > > unity here more strikt between 3.3.4 and 3.5.1? > > > Well, I don't recall anything clearly related, but it is bit hard > > > to > > > say > > > without knowing bit wider context. > > > > > > Do I read this correctly that SAML answer contained NameID > > > without > > > specifying the format attribute? - what in general means that the > > > format > > > is unspecified. > > > > > > Can you write which element had this nameID? Is it about > > > authenticated > > > entity? Or the IdP identifier? Unity log would be here also very > > > helpful, especially if it contains some error. > > I have to check when this happens the next time. > > > > One IdP admin reported the NameIdPolicy in AuthRequest is > > > > empty, > > > > see > > > > screenshot. Is this intended? > > > AFAIR this is configurable: unity authenticator has "accepted > > > name > > > formats" config, and you can have it left empty what would allow > > > any > > > format (and the NameIdPolicy you have pasted). > > Yes there is config about it and it was empty. But after setting > > this, > > the policy is still empty. > > > > Here is my IdP config: > > > > unity.saml.requester.remoteIdp.marine.name=MarineID IdP > > unity.saml.requester.remoteIdp.marine.address= > > https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO > > unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT > > unity.saml.requester.remoteIdp.marine.samlId= > > https://idp.marine-id.org/idp/shibboleth > > unity.saml.requester.remoteIdp.marine.certificate=MARINEID > > unity.saml.requester.remoteIdp.marine.translationProfile=tr-input- > > marineid > > unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=ma > > rineID Registration Form > > unity.saml.requester.remoteIdp.marine.enableAccountAssociation=fals > > e > > unity.saml.requester.remoteIdp.marine.logoURI.en= > > https://www.marine-id.org/img/logo-noBG.svg > > unity.saml.requester.remoteIdp.marine.requestedNameFormat=urn:oasis > > :names:tc:SAML:2.0:nameid-format:persistent > > > > Do you see some error within? > > Nope, looks good to me. I just checked something similar and works > well > on my end. Are you sure that your authenticator was reloaded? I.e. > maybe > installed was not yet refreshed? The safest bet is to undeploy and > then > redeploy it. > > > Cheers, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
