Univention Bugzilla – Bug 39431
Default nameID attribute in assertion changed in UCS 4.1
Last modified: 2015-11-17 12:12:42 CET
While testing the SAML implementation in UCS 4.1 i found that the default nameID attribute in the saml assertion changes from UCS 4.0 to 4.1 In 4.0, the uid attribute is transmitted as <saml:NameID SPNameQualifier="https://sp.testshib.org/shibboleth-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">univention</saml:NameID> in 4.1 it is a random identifier: <saml:NameID SPNameQualifier="https://sp.testshib.org/shibboleth-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_c8c541f12fddbde03020c4e68bb78bab44de1fc8fc</saml:NameID> Do we need to update the default sp definitions? The values for testshib did not change in 4.1. Is it a change in simplesamlphp?
syslog: Sep 29 16:01:20 master simplesamlphp[30524]: 5 STAT [0ba7434f6d] User 'univention' has been successfully authenticated. Sep 29 16:01:20 master simplesamlphp[30524]: 5 STAT [0ba7434f6d] saml20-idp-SSO-first https://sp.testshib.org/shibboleth-sp https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA Sep 29 16:01:20 master simplesamlphp[30524]: 5 STAT [0ba7434f6d] saml20-idp-SSO https://sp.testshib.org/shibboleth-sp https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA Sep 29 16:01:20 master simplesamlphp[30524]: 3 [0ba7434f6d] Unable to add NameID: Missing 'uid' in the attributes of the user. Sep 29 16:01:20 master simplesamlphp[30524]: 4 [0ba7434f6d] Falling back to transient NameID.
The fix is easy. Our joinscript sets a NamedIDFormat which does not exists in the SAML specification (urn:oasis:names:tc:SAML:2.0:nameid-format:email). This is also a bug in UCS 4.0. The problem is that simplesamlphp 1.8 had this value in its documentation so we copied it then. Upgrading simplesamlphp broke it then. The correct value is: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress Please update this in the joinscript for the existing service provider we create. Make sure to update only if the value is the old broken value. Make sure that the joinscript doesn't fail if the SP entry was removed by the customer.
I used urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified as the format identifier, as email can trigger syntax checks on the SP side, which fails e.g. for a uid. r64803 univention-saml 3.0.24-8.81.201510231548 r64804 changelog
OK: new NameIDFormat OK: Changelog
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".