ComponentSpace

Forums



Choosing right Attribute to extract the email id


Choosing right Attribute to extract the email id

Author
Message
boyd98
boyd98
New Member
New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)

Group: Forum Members
Posts: 31, Visits: 164
Currently my client is switching over to classlink for the IDP.
My previous working integration with SSO was with Azure as their IDP.

For the new, I'm receiving this in my idp.log

Name ID: <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[email protected]</saml:NameID>

My saml.config is configured as such:

<!-- Classlink-->
  <PartnerIdentityProvider Name="https://idp.classlink.com/sso/metadata/x"
          PartnerCertificateFile="Certificates\classlink.cer"
          SingleLogoutServiceUrl="https://idp.classlink.com/sso/SingleLogoutService/x"
          NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
          SingleSignOnServiceUrl="https://idp.classlink.com/sso/SingleSignOnService/x" />

In my code behind i have the following to set the username:

   attributes.TryGetValue("mail", out string mail);
    attributes.TryGetValue("E-Mail Address", out string email);
    attributes.TryGetValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", out string adfsName);
    attributes.TryGetValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", out string adfsEmail);


Should i be adding another claim or having them set a friendly name?
Bit fuzzy; I learn this once a year and then I forget.

Any help is appreciated,

Thanks!


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Normally you would negotiate with the IdP what user information needs to be included in the SAML assertion and what SAML attributes names etc should be used.

You can ask the IdP to supply the information you require using the SAML attribute names you expect.

If they can't or won't, your code will have to handle the different SAML attributes names etc. Trying different attribute names as per the code you included is a good approach.

Regards
ComponentSpace Development
boyd98
boyd98
New Member
New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)

Group: Forum Members
Posts: 31, Visits: 164
ComponentSpace - 11/1/2021
Normally you would negotiate with the IdP what user information needs to be included in the SAML assertion and what SAML attributes names etc should be used.

You can ask the IdP to supply the information you require using the SAML attribute names you expect.

If they can't or won't, your code will have to handle the different SAML attributes names etc. Trying different attribute names as per the code you included is a good approach.

So if they say they're sending it in the nameID
Name ID: <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[email protected]</saml:NameID>

Is this what i should be trying to read:
   attributes.TryGetValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", out string nameId);

Also, what is the difference between defining this or leaving it blank?
NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

The previous partner section did not have this defined.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The SAML subject Name ID is returned as the userName output parameter to SAMLServiceProvider.ReceiveSSO. The NameID is separate from any SAML attributes.

The NameIDFormat specifies the Name ID format to include in the SAML authn request sent to the IdP. This can be used to tell the IdP want type of Name ID you want returned in the SAML response. However, many IdPs ignore this and my recommendation would be to not include it in your SAML configuration unless it's required by the IdP.




Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search