search

OpenConext-Attic / OpenConext-oidc

OpenConext implementation of a OpenID Connect server based on the MITREid Connect server
Apache License 2.0
7 stars 9 forks source link

Service wants persistent nameID, but metadata asks for transient (and others) #4

Open lhoekenga opened 7 years ago

lhoekenga commented 7 years ago

DefaultSAMLUserDetailsService.java appears to be looking for either "urn:mace:dir:attribute-def:eduPersonTargetedID" or "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", but the generated metadata includes non-preferred formats:

    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>

Can be fixed on the IDP side by removing the signature and adjusting the NameIDFormats by hand, but consider removing the unwanted / unneeded NameIDFormat elements from the generated metadata.