Changing NameFormat in SAML 2.0 - visual-studio-2005

We are using SAML 2.0. We are supposed to integrate with an external client.
The customer is requesting use to change the following
NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" instead of NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Can we do that. If yes, how?

NameFormat is an attribute of Attribute element under AttributeStatement element of SAML assertion. SAML Core Specification mentions three attribute name format identifiers:
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Now, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress is a name ID format identifier. It is used as the value of the attribute Format of either NameID, NameIDPolicy, or Issuer element.
When you mentioned that you want to replace urn:oasis:names:tc:SAML:2.0:attrname-format:basic with urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, it puzzles me because they are used for different purposes.
Perhaps you can clarify your question?

In your AuthnRequest, you should have something like:
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier="xxx"
AllowCreate="true"
/>
Change the format in there e.g. the format above is "transient".

Related

How to add custom validation in plugin configuration?

I have a text field in the configuration section of my plugin. The expected values are numbers separated by ',' eg 1,5,10. User should not be able to set this value to 0. How I can validate the field?
You could hook into the save-event with a subscriber docs
And there you could access the request data and validate it on your own.
My question would by why do you want to do that?
What do the numbers stand for?

Can Jmeter LDAP Request or LDAP Extended Request populate a multi-valued attribute?

I am working on a Jmeter LDAP test plan and the test plan has to populate an attribute on the LDAP that is multi-valued.
When I do an LDAP search sampler, I noted that the value I get back is a string, with the values separated by ", ".
But, if I take the same comma-separated string and try to do an LDAP modify or add, using either an LDAP Request or LDAP Extended Request, I get an error.
So I am wondering if there is a way that the Jmeter LDAP Request or LDAP Extended Request can do that?
Thanks,
Jim
EDIT: When I try to use an Extended LDAP Request modification test/add with the attribute of "", I get this error in the Jmeter GUI response:
When attempting to modify entry cn=xxx... to replace the set of values for attribute lastlogindate, value "20181023085627-04, 20181024063205-04" was found to be invalid according to the associated syntax: The provided value "20181023085627-04, 20181024063205-04" is not a valid generalized time value because it contains an invalid character '-' at position 14
The strange part is that even though I have Jmeter to log at debug level, I don't see any detail on the error in the Jmeter.log, but/so I am guessing that that error message is coming from the Jmeter client itself. I noticed that the message says:
to replace the set of values
so it seems like it recognizes that I am trying to modify/replace a multi-value, but it doesn't seem to like the syntax of the replacement values string(s).
Does anyone know what the correct format SHOULD be?
I found the answer to my own question, or at least "A" answer: It appears that I can use an Extended LDAP request, and add the same attribute in that request, multiple times. So for example, if I am populating an attribute named "foo" the Extended LDAP request would have the following:
attribute value opcode
foo 12345 add
foo 12346 add
etc.
I think I also need to do a replace with no value, to empty the attribute, before all the adds.

Customizing input validation in swagger ui

We are exposing swagger-ui from our webserver using the Swashbuckle package working on top of Asp.Net Core. We are hitting an input validation issue for our Guid input fields.
The GUIDs we are pasting in, which are read from other parts of the system, are formatted as deb83f8a3edc4b78a2ece3321f81b58b, note the missing dashes. The input validation rejects this as it expects dashes in the format (so it accepts deb83f8a-3edc-4b78-a2ec-e3321f81b58b).
The swagger document that we serve has the parameter as type: string and format: uuid. It calls to some internal validationGuid call that have a reg-ex that forces the dashes. From the browser Console it seems like it is looking for a component called JsonSchema_string_uuid but is not finding it.
So my question is how can I extend swagger-ui to override the validation of specific parameter type/formats?
UPDATE:
I was made aware of the RFC that specifies a UUID as containing dashes and a workaround. However, I'm still interested in learning about ways to customize the validation of both custom formats and specifically uuid?
While the OpenAPI Specification and JSON Schema do not currently define format: uuid, RFC 4122 defines UUID as containing dashes, and some comments in the OpenAPI repository suggest that format: uuid is supposed to follow RFC 4122. This means your example without dashes is most likely not format: uuid.
Consider replacing format: uuid with pattern: '^[A-Fa-f0-9]{32}$'.

Can I get saml-token as string?

I am using spring-security-saml2 1.0.0.RELEASE.
It works well and pretty good for me.
But New requirement is rised. I need saml-token as string.
can I get the saml-token as string. I find saml-token in log.
But how to get the saml-token as string format?
Good question, I've just added a new chapter to the Spring SAML manual which addresses this issue:
Authentication assertion
Assertion used to authenticate user is stored in the
SAMLCredential object under property authenticationAssertion. By
default the original content (DOM) of the assertion is discarded and
system only keeps an unmarshalled version which might slightly differ
from the original, e.g. in white-spaces. In order to instruct Spring
SAML to keep the assertion in the original form (keep its DOM) set
property releaseDOM to false on bean WebSSOProfileConsumerImpl.
Assertion can be serialized to String using the following call:
XMLHelper.nodeToString(SAMLUtil.marshallMessage(credential.getAuthenticationAssertion()))

How to verify whether the header has the property or not using Spring Integration Expression?

I need to verify whether the header has a specific property or not using Spring Integration Expression. Please see below code:
<int:router input-channel="PQAdditionalContactHistory-Format-Response-Router" expression="headers.get(pqAdditionalContactHistoryJob)" ignore-send-failures="true">
<int:mapping value="PQAdditionalContactHistory" channel="PQContactHistory-PQAdditionalContactHistory-Format-Response"/>
</int:router>
In the above code, I need to verify whether the property pqAdditionalContactHistoryJob exists in the header or not.If so it needs to be routed based on the value.
Can anyone please provide an expression to evaluate my scenario.
The Elvis operator is your friend.
expression="headers['pqAdditionalContactHistoryJob'] ?: 'nullChannel'"

Resources