November 8, 2017 at 7:11 pm #19490prayachoParticipant
I am having problem with attribute mapping.
I am using OpenAM 13 as my IdP and Tableau Server as my SP. SP is expecting the IdP to return an assertion that includes the ‘username’ value in the saml:AttributeStatement element.
So, I did attribute mapping in my IdP as username=uid, since my local attribute name is uid (uid attribute exists for the user).
Now, when I access my SP’s URL, it is redirecting it to my configured OpenAM IdP and after successful login, I am getting a HTTP 500 error saying ‘Unable to do sso or federation’. I have enabled ‘message’ level logs for debugging federation log and I see ‘Unable to generate NameID value’ error in federation log.
Could you please help me with this issue?November 15, 2017 at 9:34 am #19600ShivharshParticipant
Can you please confirm the NameID-format that you are using at IDP? If you are using persistent or transient the NameID value coming from IDP in assertion will contain just a random string. If you wish to get username as NameID value in assertion, you would have to use a NameID-format other than Transient or Persistent and add a corresponding value in NameID-Value map. NameID value mapping can be set on hosted IDP’s assertion content tab.
Path :- >> Federation >> Assertion Content >> NameID format
Sample NameID-Value entry:-
Once modified, the value returned in assertion response can be verified in SAML2.access log in ~/OpenAM/log/ .
<samlp:ArtifactResponse> <samlp:Response> <saml:Assertion xmlns:saml=""urn:oasis:names:tc:SAML:2.0:assertion"" Version=""2.0"" ID=""s20395dae652e2ee8bc16daa297bceb39cf4275b32"" IssueInstant=""2017-11-14T12:05:08Z"">\\n <saml:NameID NameQualifier=""http://idp.ec.in:8080/OpenAM-12.0.0"" SPNameQualifier=""http://sp.ec.com:8080/OpenAM-12.0.0"" Format=""urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"">demo</saml:NameID> </saml:Assertion> </samlp:Response> </samlp:ArtifactResponse>
Hope this is helpful !November 17, 2017 at 2:07 am #19642Scott HegerParticipant
Another cause for this is when you specify an attribute to be used in your NameID that is not included in the list of user attributes in your Data Store. So for example if you are using the unspecified NameID format and have something like:
Then you need to ensure that “myAttribute” exists in the “LDAP User Attributes” list in your Data Store and also that the user you are authenticating with has a value for that attribute it its profile.May 21, 2018 at 3:33 pm #21893ThiruJayParticipant
I have situation wherein i need to useurn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=mail in IDP for mapping but while returning to SP , i need to return as FirstName$LastName. The custom IDP mapper example shown in the docs appends the nameID value but it does not shows how to pull firstname and LastName and return as SAML assertion.
The SP only has FirstName$LastName to map and we dont have that combination in our AD.
Any suggestion would be helpful.
You must be logged in to reply to this topic.