Reputation: 1249
Can WSO2 Identify Server send back the email address in the NameID of a SAML response?
I am trying to configure WSO2 Identity Server with a cloud app.
So far I have managed to:
- The cloud app being redirected to WSO2 IS and it's login page appearing.
- The WSO2 IS login being successfully authenticated against a LDAP backed secondary user store.
However the cloud app login still fails. I think this is because the SAML response has the username and the cloud app wants the user email address instead of the username. I say this because you configure users in the cloud app with their email addresses and not usernames.
So is there anyway you can get WSO2 IS to return the email address instead of the username. I enclose the SAML to illustrate what I mean, I'd like my email address to be returned in the <saml:NameID> field and not my user name smith.
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://cloudapp.com/auth/saml/callback"
ID="ijnccdceglphfggpnhhdkckhdkendndabahdjlef" InResponseTo="_4b740f60-a420-0132-eb44-002590a743aa"
IssueInstant="2015-03-03T22:12:25.000Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="kjggobfabnbnfnpbngjeeolfjjjoimapmkpadbfl" IssueInstant="2015-03-03T22:12:25.000Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">smith</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_4b740f60-a420-0132-eb44-002590a743aa"
NotOnOrAfter="2015-03-03T22:17:25.000Z"
Recipient="https://cloudapp.com/auth/saml/callback"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-03-03T22:12:25.000Z" NotOnOrAfter="2015-03-03T22:17:25.000Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://cloudapp.com/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-03-03T22:12:25.001Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
Upvotes: 1
Views: 788
Answers (1)
Reputation: 5821
Yes. you can do this by using configuration in WSO2IS. By default WSO2IS returns the authenticated username. But you can select which attribute of the authenticated user, must be added as the NameID in SAML2 Assertion. If you are using IS 5.0.0, under the claim configurations, you can find the a configuration called Subject Claim URI:. Here, you can select the desired claim uri that must be selected as the NameID. You can find more configuration detail from here under the topic "User Name for SAML2 Assertion".
However, when you are using email, if you found any issue, you may need to configure following element in carbon.xml file. However above link contains more about it.
<EnableEmailUserName>true</EnableEmailUserName>
Upvotes: 4
Related Questions
- SAML2 email address as NameId is discourage to use
- how to return user attributes in SAML response in WSO2 IS
- WSO2 Identity Server SAML SSO return url
- Spring SAML integration with WSO2 Identity server, SAML Message ID not reconised
- WSO2 identity server email as username
- oauth access token from SAML response?
- WSO2 Identity Server not taking NameIDPolicy format into consideration for authentication request
- WSO2 Identity Server obtain SAML token for rest call
- How to retrieve user attributes through SAML in WSO2 Identity Server
- Is it valid to use the format email when the NameID value is a username not in the email format?