Getting Claims from ADFS 3.0 and Displaying To Shibboleth 2.6 Service Provider (SP) in SAML 2.0

0
votes

I'm trying to configure Windows Server 2012 r2 ADFS 3.0 to send the NameID to Shibboleth 2.6 SAML 2.0 SP, but I keep on getting these errors: 

2016-11-15 10:07:07 WARN Shibboleth.AttributeResolver.Query [1]: can't attempt attribute query, either no NameID or no metadata to use
2016-11-15 10:07:07 INFO Shibboleth.SessionCache [1]: new session created: ID (_7e425978e43bc32c86393f518b26eb3e) IdP (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (192.168.50.131)

I understand that this has something to do about passing the NameID attribute from the ADFS IDP and displaying the nameID in Shibboleth SAML 2.0 SP.

I've also read that you need to set a rule in ADFS IDP to pass the Email Address, and transform the Email address to become a NameID. I have done that, and have these rules: 

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

However, I have observed that the configuration seems compatible only with SAML 1.0, but not 2.0 (maybe).

So, I went on by adding the name attributes. I tried transient, persistent, and emailAddress, and trying both SAML 1.0 and SAML 2.0 configurations.

<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" id="NameID"/>
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="NameID"/>
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="NameID"/>

Question:

So, what is the proper way of configuring ADFS IDP to send the NameID to the Shibboleth SP and display the Session attribute when going to my application Session page?

Specifically, what is the proper output for Claim Rules that I should expect? and how should the XML configuration for Shibboleth attribute-map.xml look like?

https://c-app01.contoso.com/Shibboleth.sso/Session
1
saml-2.0windows-server-2012-r2shibbolethadfs3.0

1 Answers

0
votes

Solution:

The solution is to create two rules inside "Issuance Transform Rules" tab in the Relying Party. Here are the Rules to be set:

  • Add a Rule to Send LDAP Attributes as Claims
  • Add a Rule to Transform an Incoming Claim

Also, make sure that Permit Access to All Users is inside Issuance Authorization Rules tab.

Instructions:

Add a Rule to Send LDAP Attributes as Claims:

  • Claim Rule Name: Email
  • Attribute Store: Active Directory
  • Mapping of LDAP: E-mail-Address to E-mail Address

This will map the Email address.

Add a rule to Transform An Incoming Claim:

  • Claim rule name: EmailToNameID
  • Incoming Claim Type: E-Mail Address
  • Outgoing Claim Type: Name ID
  • Outgoing Name ID Format: Email
  • Make sure "Pass Through Claim Values" is selected.

The setting above for "Transform An Incoming Claim" will give you the following claim rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

After that, you may configure the attribute-map.xml like so: 

<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="Email"/>

My Mistake:

I found out that every setting in my Claims Rules is correct, except that the rules for Email and EmailToNameID should be under the Issuance Transform Rules Tab of the Relying Party.