I have working SAML 2.0 in my dev account https://espatialzdenek-dev.onelogin.com
I am able to login through onelogin.
Only problem I have is that I can't change / I don't know how to change attribute names in the login request from IDP to SP.
in the assertion saml response I get in section
<saml:AttributeStatement>
for example this element
<saml:AttributeStatement>
<saml:Attribute Name="User.FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">z2</saml:AttributeValue>
</saml:Attribute>
but I need there
<saml:AttributeStatement>
<saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">z2</saml:AttributeValue>
</saml:Attribute>
I need make this change at least for first name , last name and user assigned security groups.
Is there way to do this in oneLogin SAML IDP setup?
Add App -> SAML Test.....
That will give you a custom application with all options available to you. Create custom claims to your hearts content.
Related
I am using OpenAM as an in-house IDP service. The flow I am using is IDP initiated where-in I am using the below link:
http://127.0.0.1:8080/openam/idpssoinit?metaAlias=%2Fidp&spEntityID=https%3A%2F%2Fmcrmpssso.maxlifeinsurance.com%2Fybl%2Fsps%2Fsamlybl%2Fsaml20
The SP metadata.xml is as below:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-06-06T05:29:49Z" cacheDuration="PT604800S" entityID="https://mcrmpssso.maxlifeinsurance.com/ybl/sps/samlybl/saml20">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<!--md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDGDCCAgCgAwIBAgIIfnbJwHIEE14wDQYJKoZIhvcNAQELBQAwKjELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA2libTENMAsGA1UEAxMEaXNhbTAeFw0xODA2MDYwNDU1MTJaFw0yODA2MDQwNDU1MTJaMCoxCzAJBgNVBAYTAnVzMQwwCgYDVQQKEwNpYm0xDTALBgNVBAMTBGlzYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD7l4RiOOWVv5OsqZwIuypmiX7Zvpxu9FciKKUtqnvTORz957ht+Rn5irMAO6RFyV3Ukk4xZICTegf1Fqfih3/zYUeGpTWb/JqU3ihBHIqAx57dffD/I3q2FZJ6sWua00s0Sj71EpqnTWdFQ2c19pERsV9an17wipuJyak3Rb9utuoYqoFH46Rlpo1Aiaz3wCcfGhN/bZKuxVggVmdqUIx7pI6DrfXj5wBe2RD75gESksTqfjW8w49rGLCfchrVmuFRFM4fe2FW8idcGB/uHQ+AWX3E0pBspNkd/a0KJu/EnI/ZjVN7RQ1+xIqjoM8MtyJRKW93L64BDm/tCj/et0TAgMBAAGjQjBAMB0GA1UdDgQWBBQpC5fyHKU7z+BbO6P5UdKOVCJYTTAfBgNVHSMEGDAWgBQpC5fyHKU7z+BbO6P5UdKOVCJYTTANBgkqhkiG9w0BAQsFAAOCAQEAfdjAQQ1kJTZBdw0ckGBjsteEID0I9qbt4R5vzyeGGjuqlQ0lJww8pYizH8XbfZftlDO10gwrx60fbCUDE0GPDDOAO6p/gcXiFDvsS8NIn3VeyPXtPmYZ8O2/e0LeQ5kWf3p2ZU7ZCIQ+fo9bh5Ve9Amj+Jel4SSL0U+wQQDAfW1+oCqSaXlui2XVH2Tlv+yJBRvk+KRZz3gk9h53f4cRwafp/GH4PDeST/leed1zMXnj/uJqazK+2Q2Wo+LRKuIM4CtkffSzZ4sqn0Uu3VHtjs0ZWY6bUG6pDVs9u3KhX38hzzqy7wgtzdf1o0ai1KPPNOvD1HxYVe7t3yqyeRJZgw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDGDCCAgCgAwIBAgIIfnbJwHIEE14wDQYJKoZIhvcNAQELBQAwKjELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA2libTENMAsGA1UEAxMEaXNhbTAeFw0xODA2MDYwNDU1MTJaFw0yODA2MDQwNDU1MTJaMCoxCzAJBgNVBAYTAnVzMQwwCgYDVQQKEwNpYm0xDTALBgNVBAMTBGlzYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD7l4RiOOWVv5OsqZwIuypmiX7Zvpxu9FciKKUtqnvTORz957ht+Rn5irMAO6RFyV3Ukk4xZICTegf1Fqfih3/zYUeGpTWb/JqU3ihBHIqAx57dffD/I3q2FZJ6sWua00s0Sj71EpqnTWdFQ2c19pERsV9an17wipuJyak3Rb9utuoYqoFH46Rlpo1Aiaz3wCcfGhN/bZKuxVggVmdqUIx7pI6DrfXj5wBe2RD75gESksTqfjW8w49rGLCfchrVmuFRFM4fe2FW8idcGB/uHQ+AWX3E0pBspNkd/a0KJu/EnI/ZjVN7RQ1+xIqjoM8MtyJRKW93L64BDm/tCj/et0TAgMBAAGjQjBAMB0GA1UdDgQWBBQpC5fyHKU7z+BbO6P5UdKOVCJYTTAfBgNVHSMEGDAWgBQpC5fyHKU7z+BbO6P5UdKOVCJYTTANBgkqhkiG9w0BAQsFAAOCAQEAfdjAQQ1kJTZBdw0ckGBjsteEID0I9qbt4R5vzyeGGjuqlQ0lJww8pYizH8XbfZftlDO10gwrx60fbCUDE0GPDDOAO6p/gcXiFDvsS8NIn3VeyPXtPmYZ8O2/e0LeQ5kWf3p2ZU7ZCIQ+fo9bh5Ve9Amj+Jel4SSL0U+wQQDAfW1+oCqSaXlui2XVH2Tlv+yJBRvk+KRZz3gk9h53f4cRwafp/GH4PDeST/leed1zMXnj/uJqazK+2Q2Wo+LRKuIM4CtkffSzZ4sqn0Uu3VHtjs0ZWY6bUG6pDVs9u3KhX38hzzqy7wgtzdf1o0ai1KPPNOvD1HxYVe7t3yqyeRJZgw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
</md:KeyDescriptor-->
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mcrmpssso.maxlifeinsurance.com/ybl/sps/samlybl/saml20/login" index="1"/>
<!--md:Organization>
<md:OrganizationName xml:lang="en">MLIC</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">MLIC</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en"/>
</md:Organization-->
</md:SPSSODescriptor>
</md:EntityDescriptor>
IDP configured NameID format and value:
SP configured NameID format:
OpenAM's stack-trace:
libSAML2:04/05/2020 08:05:57:847 PM UTC: Thread[http-nio-8080-exec-5,5,main]: TransactionId[bf5ec287-6206-4f48-bba0-f968efd3146f-32206]
ERROR: Error processing request
com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.
at com.sun.identity.saml2.plugins.DefaultIDPAccountMapper.getNameID(DefaultIDPAccountMapper.java:114)
at com.sun.identity.saml2.profile.IDPSSOUtil.getSubject(IDPSSOUtil.java:1618)
at com.sun.identity.saml2.profile.IDPSSOUtil.getAssertion(IDPSSOUtil.java:1009)
...
I am stuck at this issue since several hours. Kindly help.
You need to check if on the configured user data store has an user subject identity attribute 'uid' configured (see NameID Value Map screenshot) and you need to ensure a value is set for the user performing the IdP-initated SSO flow. For testing purpose, you may explicitly specify the NameID format to be used by adding request parameter NameIDFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
I created some custom policy for our SAML applications in Azure b2c.
Now I want to edit the claims sent by azure b2c to application in SAMLResponse.
I added the claims in the trustframwworkbase:
<ClaimType Id="TESTFELDSTRING">
<DisplayName>TESTFELDSTRING</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="TESTFELDSTRING" />
<Protocol Name="SAML2" PartnerClaimType="TESTFELDSTRING" />
</DefaultPartnerClaimTypes>
<UserHelpText>Your TESTFELDSTRING name.</UserHelpText>
<UserInputType>TextBox</UserInputType>
</ClaimType>
And I changed my custom policy and added some new outputclaim there:
<OutputClaim ClaimTypeReferenceId="TESTFELDSTRING" />
But the claim is still missing in my SAML responses.
I have one application which expects some information as SAML Claim and I do not see how to transmit it.
On the "normal Azure AD" I will be able to configure the claims per app. So one app is sending other claims than another app. How to do this in azure b2c?
I tried to add the claim inside the manifest of my app registration with:
"optionalClaims": {
"saml2Token": [
{
"name": "TESTFELDSTRING",
"source": null,
"essential": false,
"additionalProperties": []
}
]
}
But this is not working too.
My transmitted attributes are:
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Display Name"
>
<saml:AttributeValue xsi:type="xs:string">XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Given Name"
>
<saml:AttributeValue xsi:type="xs:string">XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Surname"
>
<saml:AttributeValue xsi:type="xs:string">XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Email Address"
>
<saml:AttributeValue xsi:type="xs:string">XXX#XXX.XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="objectId"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
FriendlyName="User's Object ID"
>
<saml:AttributeValue xsi:type="xs:string">xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Anyone a suggestion?
Did you follow this sample?
Did you add the new claims as output claims in the Technical profile?
Did you also add the new claims as output claims in the <RelyingParty> section?
I followed this manual to register SAML to my azure b2c: https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
With this I am able to define SAML claims in my new TechnicalProfile with for example
<OutputClaim ClaimTypeReferenceId="surname"/>
Now, I have application which expects EXACTLY some attributes with a specific name. Setting PartnerClaimType to some custom string will result in a saml attribute with that string as attribut name:
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="LastName" />
This will result in:
<saml:Attribute Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
FriendlyName="Surname">
<saml:AttributeValue xsi:type="xs:string">Peters</saml:AttributeValue>
</saml:Attribute>
But I can just configure claims on that profile - I need to specify it in the app registration in azure.
So the 1st application needs attribute "surname", next needs "FamilyName" and 3rd needs "LastName".
How can I use the claim defined in the policy and change it in the app? I saw there is some property "optionalClaims" in the manifest and there are "saml2Token". But the documentation of this did not helped me (https://learn.microsoft.com/de-de/azure/active-directory/develop/active-directory-optional-claims).
If you are connecting 3 SAML Relying Parties, you would have 3 Application Registrations, and 3 Relying Party technical profiles as part of your Custom Policy. Each Relying party section would have the required claims mappings.
We have written a custom claims provider for ADFS. It's all working fine: you enter your username and credentials in our login page, and it authenticates you to ADFS. There's just one annoying omission: if you come from Office 365 portal and enter your email address, you get redirected to ADFS, then to our login page... but without the email address. You have to re-enter it before you can login.
I can't see anyway to request that ADFS forwards the email address as part of the SAML request, or to check if there is already an email address associated with the SAML request.
Regards
Robin Withey
I think you need to look into the UID and Mail attributes of the SAML response...
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test#example.com</saml:AttributeValue>
</saml:Attribute>
I'm using custom policies on my Azure AD B2C app. And I am using a custom UI passing a reference to a UI hosted on my server like this on my sign-up/sign-in policy:
<BuildingBlocks>
<ContentDefinitions>
<ContentDefinition Id="api.signuporsignin">
<LoadUri>https://MyURL/index.html</LoadUri>
</ContentDefinition>
</ContentDefinitions>
</BuildingBlocks>
This is working. But now I want to add a HTML link element to my custom UI with the URL of my Privacy Policy and that element is not showing up when I execute my policy. Everything is showing up except that link.
Could it be some cache on Azure that is using the old custom UI? Or is something I'm missing?
Try:
<div id="api">
<!-- Leave this element empty because Azure AD B2C will insert content here. -->
</div>
<!-- URL goes here, outside of the API div above -->
Privacy policy