Solved: Re: SAML apigee-sso with external IDP issue

agcifre · 01-26-2022 12:07 AM

Hello,

I've installed Apige on prem (base components) and now I'm busy with the integration of apigee-sso component with our external IDP.
Unfortunately our IDP doesn't support "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" as nameid-format.
I've overriden the value of SSO propertie "conf_login_saml_provider_nameid" with "urn:oasis:names:tc:SAML:2.0:nameid-format:transient".
Now I'm able to receive the IDP response SAML.
However the email information is not located under <saml:NameID>. It's located under the saml attribute "mail" 😞
<saml:AttributeStatement>
<saml:Attribute Name="mail">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">xxxx@yyy.be</saml:AttributeValue>
</saml:Attribute>
...
<saml:AttributeStatement>
Is there a way to tell apigee-sso component to search in another place than <saml:NameID> , for example something like <sam:attribute Name="mail">?

Thanks in advance.

agcifre

OK. I will do it. Thanks

View solution in original post

dchiesa1

I think the way you can do it is

in 4.19:

edit the SSO Configuration file to add a new setup variable of:

SSO_SAML_IDP_NAMEID_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

or whatever is appropriate for your purposes.

And in 4.51, this may be a little different. See here: https://docs.apigee.com/private-cloud/v4.51.00/configure-your-saml-idp

helpful?

agcifre

Hello,
I've followed your advice and now I'm able to see the User ID within <saml:NameID> of the SAML Response. This SAML is treated by the apigee-sso component and generates the following JWT:
{
"jti": "173a7a85-1f0a-42db-8820-87ce502091a1",
...
"client_id": "newueclient",
"cid": "newueclient",
"azp": "newueclient",
"grant_type": "authorization_code",
"user_id": "73671de0-874d-4117-8c9c-855aead8e151",
"origin": "gestia",
"user_name": "AL6951",
"email": "AL6951@unknown.org",
...
}
The user 'AL6951@unknown.org' was previously created using the management-api.

Despite of all the above actions, I don’t have access to the new Edge UI 😞

I also saw a reference to client id [newueclient] within edge-management-ui.log file?
…

Requesting Access token from http://157.164.172.177:9099/oauth/token with client id [newueclient] and code [9LBpUT93RZNP9PbQ6j3K9jcB] and state [eyJhbGciOiJub25lIiwidHlwIj oiSldUIn0.eyJyZnAiOiJ3Ui9Ud2JLTzRNK1h4OEwzY0FDVDBhN0pCVGVzTzlRNnB3bXdtVmVzTS9BPSIsInRhcmdldF9saW5rX3VyaSI6Imh0dHA6Ly8xNTcuMTY0LjE3Mi4xNzc6MzAwMSJ9.]

…

Any suggestion please?

Many Thanks.

dchiesa1

That looks like a JWT, but my understanding is the SAML relationship is going to be based on an XML markup. SAML. (Security Assertion Markup Language is a specific schema applied to XML)

So I don't know why you are seeing a JWT, and I don't know how that would affect the SSO configuration.

You should be seeing a SAML assertion. It will be XML, not JSON. It might look something like this (from samltool😞

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
  <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
    <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
    <saml:Subject>
      <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    ...

Often that SAML Assertion is encoded by the IDP, so you will get a long base64 string, that needs to be, first base64 decoded, then inflated.

You may want to contact Apigee support to help walk you through the SSO configuration options for SAML partnerships in OPDK.

agcifre

Sorry. I agree that I was not so clear.
I wanted to say too many thinks 🙂
It would be great to contact the support because I should have missed something.:-(
I can provide all silent files,all steps I did,all references to Apigee documentation I used, etc.
Also, our Idp supports now the emailAddress as nameId format.

Could you tell me how I contact the support, please?

Thanks.

agcifre

Hi,

Regarding the JWT I sent before, this JWT is sent between apigee-sso component and the new Edge UI.

Now all 'SAML steps' (Request & Response) are passed successfully and we follow apigee requirements (with emailAdress as format Name ID) .

The JWT seems fine. It contains the email address under both JWT fields: user_name and email.

However, I'm still without access to the new Edge-UI.

Perhaps I should accept close this ticket and open another one?

Thanks.

dchiesa1

No need to "close this ticket". Just connect with Apigee support. This community forum isn't support. To connect with support you can use yoru support portal, it's a different website. Open a ticket and they'll assist you debugging the SSO handshake.

You can reference this community thread when you open the ticket. But they'll take it from here.

agcifre

OK. I will do it. Thanks