Need to add extension to NAM IDP Metadata

Hi,

I need to update customers NAM IDP to provide a extension in the IDP metadata to follow requirements from Swedish school authorities

The extension that should be added is

<Extensions><mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"><saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue>https://fidus.skolverket.se/authentication/e-leg</saml:AttributeValue></saml:Attribute></mdattr:EntityAttributes>
</Extensions>

If I add and try to verify I get this error "reference to a nameareaprefix that is not declared : SAML"

In the documentation it's stated that it should come directly after EntityID statement, but in there example that statment looks like

<EntityDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" entityID="http://idp.exempel.se/">

If I change the entitydescriptor to match this the first error disappears but instead I get reference to a nameareaprefix that is not declared : md"

Anybody got a suggestions howto handle this?

/Lennart

Labels:

Access Manager
Parents
  • 0  

    What if you keep original EntityDescriptor and add this (I have just added xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" namespace to Extensions element):

    <Extensions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
    <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue>fidus.skolverket.se/.../saml:AttributeValue>
    </saml:Attribute>
    </mdattr:EntityAttributes>
    </Extensions>

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi,

    I managed to get the metadata do work by adding this under EntityDescriptor, thanks for the pointer to what to change.

    After that I could upload the metadata file to Skolfederationen, This might be useful for other doing NAM integrations in Sweden.

    <?xml version="1.0" encoding="UTF-8" ?>
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="idwvKEajlxJubY5-50Fl6X1ov7XzA" entityID="">idp.domain.se/.../metadata">
    <md:Extensions>
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsd="">www.w3.org/.../XMLSchema" xmlns:xsi="">www.w3.org/.../XMLSchema-instance" xsi:type="xsd:string">fidus.skolverket.se/.../saml2:AttributeValue>
    </saml2:Attribute>
    </mdattr:EntityAttributes>
    </md:Extensions>

    So now it almost work, when I do the login test @https://fidustest.skolverket.se/DNP/ and choose "Inloggning med e-legtimation" the authnrequest got this part requesting a specific authncontextclass value

    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">skolverket.eduid.se/.../ns1:Issuer>
    <ns0:RequestedAuthnContext Comparison="exact">
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    </ns0:RequestedAuthnContext>

    I have added "http://id.elegnamnden.se/loa/1.0/loa3" as "Allowable Class " contract specification

    So when I do a test login I get redirected to the right contract and I can authenticate, that contract points to a remote IDP which responds with the proper authncontextclassref but still it's loops back to the same contract page again.

    I guess it's somehow related to "<ns0:RequestedAuthnContext Comparison="exact">" in request, but I'm usure how to resolve that.

    Any suggestions?

    /lennart

Reply
  • 0 in reply to   

    Hi,

    I managed to get the metadata do work by adding this under EntityDescriptor, thanks for the pointer to what to change.

    After that I could upload the metadata file to Skolfederationen, This might be useful for other doing NAM integrations in Sweden.

    <?xml version="1.0" encoding="UTF-8" ?>
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="idwvKEajlxJubY5-50Fl6X1ov7XzA" entityID="">idp.domain.se/.../metadata">
    <md:Extensions>
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsd="">www.w3.org/.../XMLSchema" xmlns:xsi="">www.w3.org/.../XMLSchema-instance" xsi:type="xsd:string">fidus.skolverket.se/.../saml2:AttributeValue>
    </saml2:Attribute>
    </mdattr:EntityAttributes>
    </md:Extensions>

    So now it almost work, when I do the login test @https://fidustest.skolverket.se/DNP/ and choose "Inloggning med e-legtimation" the authnrequest got this part requesting a specific authncontextclass value

    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">skolverket.eduid.se/.../ns1:Issuer>
    <ns0:RequestedAuthnContext Comparison="exact">
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.swedenconnect.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    <ns1:AuthnContextClassRef>id.elegnamnden.se/.../ns1:AuthnContextClassRef>
    </ns0:RequestedAuthnContext>

    I have added "http://id.elegnamnden.se/loa/1.0/loa3" as "Allowable Class " contract specification

    So when I do a test login I get redirected to the right contract and I can authenticate, that contract points to a remote IDP which responds with the proper authncontextclassref but still it's loops back to the same contract page again.

    I guess it's somehow related to "<ns0:RequestedAuthnContext Comparison="exact">" in request, but I'm usure how to resolve that.

    Any suggestions?

    /lennart

Children
No Data