'Re: Forcing Misuse of TransientID in IdP 3.2.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Forcing Misuse of TransientID in IdP 3.2.
From:       "Sheldon, Nathan I" <Nathan.Sheldon () ucsf ! edu>
Date:       2017-01-31 22:32:58
Message-ID: 9A34DDB2-ECD4-49D1-BA36-04FBDA2D9D38 () ucsf ! edu
[Download RAW message or body]

[Attachment #2 (text/plain)]

Thanks Scott.

On Jan 31, 2017, at 11:50 AM, Cantor, Scott \
<cantor.2@osu.edu<mailto:cantor.2@osu.edu>> wrote:

Put yours first, with an appropriate activationCondition on it, and it should be \
fine.

Indeed.  That did it.

Do you have actual proof that it matters? I'd be very dubious of anything that broken \
even looking at the Format.

I had the same thought, so I tested sending the same attribute value in the NameID \
but with different format definitions.  None seemed to work unless it was defined as \
a transient ID.  Grrr.

—

Hey David.

On Jan 31, 2017, at 11:51 AM, IAM David Bantz \
<dabantz@alaska.edu<mailto:dabantz@alaska.edu>> wrote:

don't you need to add clause to indicate that nameID is used for specific SP(s)? like

Not in this case.  That attribute ID was defined just for this SP, probably because \
it was easier to do it that way in IdP v2.  I also prefer to make relying party \
exceptions in the relying-party.xml configuration rather than in the saml-nameid.xml \
config, just because it's easier to keep track of all our exceptions (we have \
plenty).  IdP v3's new NameID configuration method would certainly allow for more \
efficient management of NameID encoding of attribute values for existing attribute \
definitions.  I may end up optimizing/cleaning those attribute definitions before \
moving to a production environment, depending on time constrains.

----
Nathan Sheldon (nathan.sheldon@ucsf.edu<mailto:nathan.sheldon@ucsf.edu>)


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;" class=""> Thanks Scott.
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jan 31, 2017, at 11:50 AM, Cantor, Scott &lt;<a \
href="mailto:cantor.2@osu.edu" class="">cantor.2@osu.edu</a>&gt; wrote:</div> <br \
class="Apple-interchange-newline"> <div class="">
<div class="">Put yours first, with an appropriate activationCondition on it, and it \
should be fine.<br class=""> </div>
</div>
</blockquote>
<div><br class="">
</div>
<div>Indeed. &nbsp;That did it.</div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div class="">Do you have actual proof that it matters? I'd be very dubious of \
anything that broken even looking at the Format.<br class=""> </div>
</div>
</blockquote>
<div><br class="">
</div>
<div>I had the same thought, so I tested sending the same attribute value in the \
NameID but with different format definitions. &nbsp;None seemed to work unless it was \
defined as a transient ID. &nbsp;Grrr.</div> <br class="">
</div>
<div>—</div>
<div><br class="">
</div>
<div>Hey David.</div>
<div><br class="">
</div>
<div>
<blockquote type="cite" class="">
<div dir="ltr" class="">
<div class="">On Jan 31, 2017, at 11:51 AM, IAM David Bantz &lt;<a \
href="mailto:dabantz@alaska.edu" class="">dabantz@alaska.edu</a>&gt; wrote:</div> <br \
class="Apple-interchange-newline"> <div class="">
<div dir="ltr" class="">don't you need to add clause to indicate that nameID is used \
for specific SP(s)? like</div> </div>
</div>
</blockquote>
<div class="">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class=""><br class="">
</div>
</div>
</div>
</div>
</div>
Not in this case. &nbsp;That attribute ID was defined just for this SP, probably \
because it was easier to do it that way in IdP v2. &nbsp;I also prefer to make \
relying party exceptions in the relying-party.xml configuration rather than in the \
saml-nameid.xml config,  just because it's easier to keep track of all our exceptions \
(we have plenty). &nbsp;IdP v3's new NameID configuration method would certainly \
allow for more efficient management of NameID encoding of attribute values for \
existing attribute definitions. &nbsp;I may end  up optimizing/cleaning those \
attribute definitions before moving to a production environment, depending on time \
constrains.</div> <div class=""><br class="">
</div>
<div class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;" class=""> <div style="color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
                word-spacing: 0px; -webkit-text-stroke-width: 0px;">
----</div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: \
normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; \
orphans: auto; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: \
0px;"> Nathan Sheldon (<a href="mailto:nathan.sheldon@ucsf.edu" \
class="">nathan.sheldon@ucsf.edu</a>)</div> <div style="color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""> <br class="">
</div>
</div>
</div>
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<br class="">
</div>
</body>
</html>



-- 
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
--===============7212437388766874505==--

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic