Bug 39431 – Default nameID attribute in assertion changed in UCS 4.1

Bug 39431 - Default nameID attribute in assertion changed in UCS 4.1


Summary:	Default nameID attribute in assertion changed in UCS 4.1

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1
Assigned To:	Erik Damrose
QA Contact:	Florian Best

URL:
Keywords:	interim-2

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-09-29 15:55 CEST by Erik Damrose
Modified:	2015-11-17 12:12 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2015-09-29 15:55:39 CEST

While testing the SAML implementation in UCS 4.1 i found that the default nameID attribute in the saml assertion changes from UCS 4.0 to 4.1

In 4.0, the uid attribute is transmitted as
<saml:NameID SPNameQualifier="https://sp.testshib.org/shibboleth-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">univention</saml:NameID>

in 4.1 it is a random identifier:
<saml:NameID SPNameQualifier="https://sp.testshib.org/shibboleth-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_c8c541f12fddbde03020c4e68bb78bab44de1fc8fc</saml:NameID>

Do we need to update the default sp definitions? The values for testshib did not change in 4.1. Is it a change in simplesamlphp?

Comment 1 Erik Damrose

2015-09-29 16:02:32 CEST

syslog:

Sep 29 16:01:20 master simplesamlphp[30524]: 5 STAT [0ba7434f6d] User 'univention' has been successfully authenticated.
Sep 29 16:01:20 master simplesamlphp[30524]: 5 STAT [0ba7434f6d] saml20-idp-SSO-first https://sp.testshib.org/shibboleth-sp https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA
Sep 29 16:01:20 master simplesamlphp[30524]: 5 STAT [0ba7434f6d] saml20-idp-SSO https://sp.testshib.org/shibboleth-sp https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA
Sep 29 16:01:20 master simplesamlphp[30524]: 3 [0ba7434f6d] Unable to add NameID: Missing 'uid' in the attributes of the user.
Sep 29 16:01:20 master simplesamlphp[30524]: 4 [0ba7434f6d] Falling back to transient NameID.

Comment 2 Florian Best

2015-10-20 15:18:03 CEST

The fix is easy.
Our joinscript sets a NamedIDFormat which does not exists in the SAML specification (urn:oasis:names:tc:SAML:2.0:nameid-format:email).
This is also a bug in UCS 4.0.
The problem is that simplesamlphp 1.8 had this value in its documentation so we copied it then. Upgrading simplesamlphp broke it then.

The correct value is:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Please update this in the joinscript for the existing service provider we create.
Make sure to update only if the value is the old broken value.
Make sure that the joinscript doesn't fail if the SP entry was removed by the customer.

Comment 3 Erik Damrose

2015-10-23 15:55:22 CEST

I used urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified as the format identifier, as email can trigger syntax checks on the SP side, which fails e.g. for a uid.

r64803 univention-saml 3.0.24-8.81.201510231548
r64804 changelog

Comment 4 Florian Best

2015-11-03 13:50:39 CET

OK: new NameIDFormat
OK: Changelog

Comment 5 Stefan Gohmann

2015-11-17 12:12:42 CET

UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".