How to change saml2p:NameIDPolicy that wso2is sends to IdP?

0
votes

I have a WSO2IS 5.2 acting as a federation hub. The AuthnRequest that it sends to IdP (in this case PingFederate) includes this NameIDPolicy:

   <saml2p:NameIDPolicy AllowCreate="true"
                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         SPNameQualifier="WSO2IS"
                         xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                         />

After logging in at PingFederate it sends back SAML message including this:

<samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
        </samlp:StatusCode>
        <samlp:StatusMessage>Cannot provide requested name identifier qualified with WSO2IS</samlp:StatusMessage>
    </samlp:Status>

I've tried uid and mail NameID values in PingFederate but I always get this response. I would like to try changing the NameIDPolicy format that wso2is sends but have not found a way to do it. I think it should be a SAML:2.0 format.

Only thing I found was "Include NameID Policy" check box in IdP settings but it stays checked even if I uncheck it and save.

How to change the NameIDPolicy format?

UPDATE: I solved the problem by enabling pseudonym identifier at PingFederate and sending username as attribute. Still it would be good to know the answer to my question.

1
saml-2.0wso2ispingfederate
This should ideally be possible to be configured in the Identity Provider add view. As of now there's no way from the UI or any other configs. Will create a JIRA to track this improvement.farasath

1 Answers

0
votes

Yes your understanding is correct. You could need to change the NameIDPolicy. You can found it in service provider (SP) creation page. Go to WSO2 IS management console, Home>service Provider>Add> .

After that need to enter the name for SP and click the register button.

Now you are in Service provider configuration page.

GO to Inbound Authentication Configuration>SAML2 Web SSO Configuration>configure.

This page you can configure SAML2 Web SSO configuration and page header show as Register New Service Provider and go to NameID format change the urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress instead of urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. You can found more details from WSO2 documentation [1].

[1] https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0