guanxi idp 2 2 5

Mon, Jan 14, 2013

Guanxi releases are pretty rare these days as I don't really do much with the SP now and moving to the 'standard' IdP is prolly a good long term move. However, I needed to make a Guanxi IdP release to cope with the new SAML2 attribute landscape.

I've recently come up against an SP that doesn't support the 'legacy' SAML1.1 version of eduPersonTargetedID:

In the above attribute release the persistent identifier is contained in urn:mace:dir:attribute-def:eduPersonTargetedID and this is usually used by the SP to provide personalisation services. However, a newer SAML2 version of the attribute is in circulation and widely used, although the legacy version is meant to be supported. In practice it isn't. The new format is a SAML1.1 Attribute with a SAML2 NameID:

As you can see, the saml2:NameID is enclosed in the SAML1.1 Attribute which has a SAML2 AttributeName (urn:oid:1.3.6.1.4.1.5923.1.1.1.10). The persistent identifier is the same as in the legacy format. It's just transported in a different format. It has to be used sparingly though as changing the IdP to only release the SAML2 version will most likely destroy personalisations. Also, the two versions can't be used in the same AttributeStatement. It's either one or t'other.

So I've updated the Guanxi IdP Shibboileth Attribute Authority service to allow service provider entityIDs to be specified and they then get the newer SAML2 version of the attribute. It's a very small update only affecting a couple of files:

src/main/java/org/guanxi/idp/service/shibboleth/AttributeAuthority.java

src/main/webapp/WEB-INF/guanxi_idp/config/spring/services/shibboleth/aa-service.xml

The details of the two versions are in Section 2.3.2.1 of the MACE-Dir SAML Attribute Profiles April 2008 document which is available as a PDF from the Mace-Dir site.

The Guanxi IdP 2.2.5 release is available from GitHub.

comments powered by Disqus