Currently my client is switching over to classlink for the IDP.
My previous working integration with SSO was with Azure as their IDP.
For the new, I’m receiving this in my idp.log
Name ID: <saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>129643@xxxx.net</saml:NameID>
My saml.config is configured as such:
<PartnerIdentityProvider Name=“<a href=“https://idp.classlink.com/sso/metadata/x””>https://idp.classlink.com/sso/metadata/x"
PartnerCertificateFile=“Certificates\classlink.cer”
SingleLogoutServiceUrl=“<a href=“https://idp.classlink.com/sso/SingleLogoutService/x””>https://idp.classlink.com/sso/SingleLogoutService/x"
NameIDFormat=“urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”
SingleSignOnServiceUrl=“<a href=“https://idp.classlink.com/sso/SingleSignOnService/x””>https://idp.classlink.com/sso/SingleSignOnService/x" />
In my code behind i have the following to set the username:
attributes.TryGetValue(“mail”, out string mail);
attributes.TryGetValue(“E-Mail Address”, out string email);
attributes.TryGetValue(“<a href=“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”, out string adfsName);
attributes.TryGetValue(”<a href=“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”, out string adfsEmail);
Should i be adding another claim or having them set a friendly name?
Bit fuzzy; I learn this once a year and then I forget.
Any help is appreciated,
Thanks!
Normally you would negotiate with the IdP what user information needs to be included in the SAML assertion and what SAML attributes names etc should be used.
You can ask the IdP to supply the information you require using the SAML attribute names you expect.
If they can’t or won’t, your code will have to handle the different SAML attributes names etc. Trying different attribute names as per the code you included is a good approach.
You can ask the IdP to supply the information you require using the SAML attribute names you expect.
If they can't or won't, your code will have to handle the different SAML attributes names etc. Trying different attribute names as per the code you included is a good approach.
So if they say they're sending it in the nameID
Name ID: 177455@xxxx.net
Is this what i should be trying to read:
attributes.TryGetValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", out string nameId);
Also, what is the difference between defining this or leaving it blank?
NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
The previous partner section did not have this defined.
The SAML subject Name ID is returned as the userName output parameter to SAMLServiceProvider.ReceiveSSO. The NameID is separate from any SAML attributes.
The NameIDFormat specifies the Name ID format to include in the SAML authn request sent to the IdP. This can be used to tell the IdP want type of Name ID you want returned in the SAML response. However, many IdPs ignore this and my recommendation would be to not include it in your SAML configuration unless it’s required by the IdP.