Forum Discussion
THi_89722
Nimbostratus
NimbostratusSAML SLO NameQualifier and SPNameQualifier attributes missing
We have external SAML 2 IdP which requires NameQualifier and SPNameQualifier attributes in NameID element set in the SAML LogoutRequest (SLO), like:
NameQualifier="https://xxx.yyy.com/idp"
SPNameQualifier="https://aaa.bbb.com/saml_sp">
AAdzZWNy...CtBxVYUk=
Now APM (v 11.5.x) seems to send SAML SLO request without those attributes, which causes SLO to fail at the IdP end:
AAdzZWNy...CtBxVYUk=
Haven't seen any way to add those attributes, or am I missing something? Any ideas?
Support for NameQualifier and SPNameQualifier is added in BIG-IP APM v13.1. This version will be released very shortly.
Michael_Koyfma1Cirrus
Can you please share which IDPs require the use of these attributes? They are optional attributes that are currently not supported by SLO configuration of APM. Please open a case with F5 support and request an RFE to support them, and provide as much information as possible, including the IDPs that use them(and any information as to why they are used). Thanks!
THiThe IdP is a large public authority (state population registry). The IdP is based on Shibboleth.
The request identifies the principal to be logged out using a NameID element, as well as providing a SessionIndex element to uniquely identify the session being closed.
https://issues.liferay.com/browse/LPS-45684
"LogoutRequest NameID should include NameQualifier and/or SPNameQualifier provided by the IdP in it's Response NameID. Some IdPs such as Shibboleth might not otherwise be able find the correct session to logout."
Also for Azure https://azure.microsoft.com/en-us/documentation/articles/active-directory-single-sign-out-protocol-reference/
"The value of the NameID element must exactly match the NameID of the user that is being signed out."
MarvinCirrocumulus
Is the Name-Identifier Policy Format available in version 13.1.0.8 I dont see this option but I need this setting to be on version 2.0. I do see the Service Provider Name Qualifier option.
Michael_KoyfmanCan you please share which IDPs require the use of these attributes? They are optional attributes that are currently not supported by SLO configuration of APM. Please open a case with F5 support and request an RFE to support them, and provide as much information as possible, including the IDPs that use them(and any information as to why they are used). Thanks!
- THi
The IdP is a large public authority (state population registry). The IdP is based on Shibboleth.
The request identifies the principal to be logged out using a NameID element, as well as providing a SessionIndex element to uniquely identify the session being closed.
https://issues.liferay.com/browse/LPS-45684
"LogoutRequest NameID should include NameQualifier and/or SPNameQualifier provided by the IdP in it's Response NameID. Some IdPs such as Shibboleth might not otherwise be able find the correct session to logout."
Also for Azure https://azure.microsoft.com/en-us/documentation/articles/active-directory-single-sign-out-protocol-reference/
"The value of the NameID element must exactly match the NameID of the user that is being signed out."
- Marvin
Is the Name-Identifier Policy Format available in version 13.1.0.8 I dont see this option but I need this setting to be on version 2.0. I do see the Service Provider Name Qualifier option.
Support for NameQualifier and SPNameQualifier is added in BIG-IP APM v13.1. This version will be released very shortly.
- THi
Hi Lucas
Attribute naming seems to be somewhat different (see pic from 13.1. beta shown below). Are they these: SP Name-Identifier Qualifier & Provider Name?
The Name Qualifier settings are in 4 areas:
- SAML SP Connector: SP Name Qualifier
- SAML SP Service: SP Name-Identifier Qualifier
- IdP Service: Name Qualifier
- IdP Connector: Name Qualifier
These correspond to the following BIG-IP MCP settings:
apm aaa saml-idp-connector Adds this configuration to apm aaa saml-idp-connector name-qualifier Specifies the security or administrative domain of the external IdP. This value usually matches IdP Entity ID. apm aaa saml Adds this configuration to apm aaa saml name-id-policy-sp-name-qualifier Optionally specifies that the assertion subject's identifier be returned in the namespace of an SP other than the requester, or in the namespace of a SAML affiliation group of SPs. This attribute can be a session variable. apm sso saml-sp-connector Adds this configuration to apm sso saml-sp-connector sp-name-qualifier Optionally qualifies an identifier with the name of a service provider or affiliation of providers. apm sso saml Adds this configuration to apm sso saml name-qualifier Specifies the security or administrative domain of the IdP (this BIG-IP system). This value usually matches IdP Entity ID.- THi
Thanks Lucas, this clarifies. Found those in 13.1.0 beta.