Need to add extension to NAM IDP Metadata

Hi,

I need to update customers NAM IDP to provide a extension in the IDP metadata to follow requirements from Swedish school authorities

The extension that should be added is

<Extensions><mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"><saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue>https://fidus.skolverket.se/authentication/e-leg</saml:AttributeValue></saml:Attribute></mdattr:EntityAttributes>
</Extensions>

If I add and try to verify I get this error "reference to a nameareaprefix that is not declared : SAML"

In the documentation it's stated that it should come directly after EntityID statement, but in there example that statment looks like

<EntityDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" entityID="http://idp.exempel.se/">

If I change the entitydescriptor to match this the first error disappears but instead I get reference to a nameareaprefix that is not declared : md"

Anybody got a suggestions howto handle this?

/Lennart

  • 0  

    What if you keep original EntityDescriptor and add this (I have just added xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" namespace to Extensions element):

    <Extensions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
    <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue>fidus.skolverket.se/.../saml:AttributeValue>
    </saml:Attribute>
    </mdattr:EntityAttributes>
    </Extensions>

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi,

    I managed to get the metadata do work by adding this under EntityDescriptor, thanks for the pointer to what to change.

    After that I could upload the metadata file to Skolfederationen, This might be useful for other doing NAM integrations in Sweden.

    <?xml version="1.0" encoding="UTF-8" ?>
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="idwvKEajlxJubY5-50Fl6X1ov7XzA" entityID="">idp.domain.se/.../metadata">
    <md:Extensions>
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsd="">www.w3.org/.../XMLSchema" xmlns:xsi="">www.w3.org/.../XMLSchema-instance" xsi:type="xsd:string">fidus.skolverket.se/.../saml2:AttributeValue>
    </saml2:Attribute>
    </mdattr:EntityAttributes>
    </md:Extensions>

    So now it almost work, when I do the login test @https://fidustest.skolverket.se/DNP/ and choose "Inloggning med e-legtimation" the authnrequest got this part requesting a specific authncontextclass value

    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">skolverket.eduid.se/.../ns1:Issuer>
    <ns0:RequestedAuthnContext Comparison="exact">
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    </ns0:RequestedAuthnContext>

    I have added "http://id.elegnamnden.se/loa/1.0/loa3" as "Allowable Class " contract specification

    So when I do a test login I get redirected to the right contract and I can authenticate, that contract points to a remote IDP which responds with the proper authncontextclassref but still it's loops back to the same contract page again.

    I guess it's somehow related to "<ns0:RequestedAuthnContext Comparison="exact">" in request, but I'm usure how to resolve that.

    Any suggestions?

    /lennart

  • 0

    Hi,

    Local login works, SP is requesting a specific authncontextclassref and that the AuthnContext Comparison match is exact. NAM IDP responds with one of the requested authncontextclassrefernses in the respons to the SP. No mention of matching in response.

    We got a contract that points to a method that basically is a jsp page with links to externa IDP.

    The user chooses one of the external IDP's and authenticates there

    The external IDP ie responding with <saml2:AuthnContextClassRef>id.elegnamnden.se/.../saml2:AuthnContextClassRef> and user is getting matched to a local userID but still NAM ends up displaying the login contract login page again instead of returning user back to SP that request was initiated from.

    /Lennart