Chris Lloyd
chrislloyd403@gmail.com

Using an ADFS SAML 2.0 IdP with a Shibboleth SP

2012/08/19

Shibboleth and ADFS have some different ideas on how the attributes of the SAML assertion should be specified. This custom ADFS claim rule causes the userPrincipalName to be sent from ADFS to Shibboleth using the NameID instead of a parameter. This is fine if the username is all you need.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
  => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";userPrincipalName;{0}", param = c.Value);

This results in the following style of assertion:

<samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://sp1.example.com/sso/saml2" ID="_b2597314-2221-4c2b-9884-1ec0ad68023f" InResponseTo="_e61c6aa5ec9b5076a46289e354afd9e2" IssueInstant="2012-08-19T16:42:04.436Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.vc.example.com/adfs/services/trust</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion ID="_1855cb64-4f6d-49bd-be80-c4e50e203b95" IssueInstant="2012-08-19T16:42:04.434Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>http://adfs.vc.example.com/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#_1855cb64-4f6d-49bd-be80-c4e50e203b95">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <ds:DigestValue>...</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>...</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>...</ds:X509Certificate>
        </ds:X509Data>
      </KeyInfo>
    </ds:Signature>
    <Subject>
      <NameID>chrisl@vc.example.com</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="_e61c6aa5ec9b5076a46289e354afd9e2" NotOnOrAfter="2012-08-19T16:47:04.436Z" Recipient="https://sp1.example.com/sso/saml2"/>
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2012-08-19T16:42:04.432Z" NotOnOrAfter="2012-08-19T17:42:04.432Z">
      <AudienceRestriction>
        <Audience>https://sp1.example.com/sso</Audience>
      </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2012-08-19T16:42:04.327Z" SessionIndex="_1855cb64-4f6d-49bd-be80-c4e50e203b95">
      <AuthnContext>
        <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>

Comments

    Leave a comment