Highlighted
Knowledge Partner
Knowledge Partner
422 views

NAM IDP SAML metadata list incomplete


We've noticed that a NAM IDP metadata (as compared to say, a CA
Siteminder IDP metadata file) is incomplete

I think the oasis spec says that the IDP metadata has to include a list
of attributes that can be used

However, even though we have an attribute set defined, AND assigned to
a trusted SP, (and even included in the authentication response), the
NAM IDP metadata does not list any attributes at all

Whereas the metadata from a CA Siteminder IDP lists attributes (as per
the oasis stuff)

Is there some extra option that you have to enable on the NAM IDP to
get the metadata file to list those?


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=450324

0 Likes
4 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: NAM IDP SAML metadata list incomplete

kjhurni wrote:

>
> We've noticed that a NAM IDP metadata (as compared to say, a CA
> Siteminder IDP metadata file) is incomplete
>
> I think the oasis spec says that the IDP metadata has to include a
> list of attributes that can be used
>
> However, even though we have an attribute set defined, AND assigned to
> a trusted SP, (and even included in the authentication response), the
> NAM IDP metadata does not list any attributes at all
>
> Whereas the metadata from a CA Siteminder IDP lists attributes (as per
> the oasis stuff)
>
> Is there some extra option that you have to enable on the NAM IDP to
> get the metadata file to list those?


metadata can't be modified as far as I'm aware. According to the saml2
spec found at
http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

<quote>

Note: As a general matter, SAML metadata is not to be taken as an
authoritative statement about the capabilities or options of a given
system entity. That is, while it should be accurate, it need not be
exhaustive. The omission of a particular option does not imply
that it is or is not unsupported, merely that it is not claimed. As an
example, a SAML attribute authority might support any number of
attributes not named in an <AttributeAuthorityDescriptor>. Omissions
might reflect privacy or any number of other considerations.
Conversely, indicating support for a given attribute does not imply
that a given requester can or will receive it.

</quote>


--
Cheers,
Edward
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: NAM IDP SAML metadata list incomplete


Thanks Ed.

So it's "normal" for the NAM IDP metadata file to not list things
like:

Attribute
NameFormat = urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Name = email
Attribute
NameFormat = 'Error'
(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)
Name = cn
Attribute
NameFormat = urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Name = lastname
Attribute
NameFormat = urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Name = givenName
Attribute
NameFormat = urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Name = Organisational unit


(Just asking). Although I'll admit it makes it MUCH easier if it's in
the metadata file so you can setup the attribute mapping properly
(otherwise you just have to guess or what, call the other person and
have them read it to you?)


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=450324

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: NAM IDP SAML metadata list incomplete


Other implementations (if you're an "SP" anyway) you have a metadata
"generator" so it can be adjusted if needed. But not sure about if
you're acting as an IDP. I know that NAM doesn't let you adjust the
metadata regardless (if NAM is an IDP you can't adjust it, if NAM is an
SP you can't adjust it). So far, almost every other SAML product I've
looked at lets you adjust the metadata file (or generate it how you
"need" it), but not NAM.

OpenSAML I can create an "SP" metadata file to have what I want in
there.
Same with CA SiteMinder

Just as some examples.

I guess an enhancement request is in order. For example, we've run
into a problem where CA Siteminder doesn't like the EntityID being the
same as the SPNameIdentifier, but NAM makes them both the same and you
cannot change it, so apparently you can't get relaystate to work with
NAM as an SP and CA Siteminder as an IDP. (or so I'm told).


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=450324

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: NAM IDP SAML metadata list incomplete

kjhurni wrote:

>
> Other implementations (if you're an "SP" anyway) you have a metadata
> "generator" so it can be adjusted if needed. But not sure about if
> you're acting as an IDP. I know that NAM doesn't let you adjust the
> metadata regardless (if NAM is an IDP you can't adjust it, if NAM is
> an SP you can't adjust it). So far, almost every other SAML product
> I've looked at lets you adjust the metadata file (or generate it how
> you "need" it), but not NAM.
>
> OpenSAML I can create an "SP" metadata file to have what I want in
> there.
> Same with CA SiteMinder
>
> Just as some examples.
>
> I guess an enhancement request is in order. For example, we've run
> into a problem where CA Siteminder doesn't like the EntityID being the
> same as the SPNameIdentifier, but NAM makes them both the same and you
> cannot change it, so apparently you can't get relaystate to work with
> NAM as an SP and CA Siteminder as an IDP. (or so I'm told).


My experience, when doing federation projects is that generally the
SP's don't even know what metadata is. I've only had a handful of
people sharing their metadata. The others just went quiet over the
phone. With SAML 1.1 it isn't so much a problem as you have that little
'wizard' in NAM but for SAML 2 its not there which is a bit of a pain.
Well...not really once you've written the metadata once yourself

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.