locked
ADFS 2.0 Interop with Shibboleth RRS feed

  • Question

  • We have an existing federation using Ping Federate to send SAML assertions to Shibboleth. We would like to replace Ping with ADFS 2.0. However, we are encounter a problem with the format of the attributes. Here are snippets from both assertions.

    SAML 2.0 Assertion From Exisitng Federation
        <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
          <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="EmailAddress">
            <saml:AttributeValue xsi:type="xs:string">user@sample.net</saml:AttributeValue>
          </saml:Attribute>
        </saml:AttributeStatement>

    SAML 2.0 Assertion From ADFS 2.0
        <AttributeStatement>
          <Attribute Name="http://schemas.xmlsoap.org/claims/EmailAddress">
            <AttributeValue>user@sample.net</AttributeValue>
          </Attribute>
        </AttributeStatement>

    Two questions:

    1. Does ADFS 2.0 allow a different Name format? When we tried to use a non-URL Name format, like 'EmailAddress', we get this error.
    The Federation Service encountered an error while processing the WS-Trust request.

    Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

    Additional Data

    Exception details:

    System.ArgumentException: ID4216: The claimType 'EmailAddress' must be of format 'namespace'/'name'.

    Parameter name: claimType

    at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)

    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)

    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)

    If we change attribute name to something like 'saml/EmailAddress' the assertion works. But that would require all of our federation partners to change their implementations. Something we don't want to do.

    2. Can you specify the NameFormat of the assertion? The OASIS spec lists multiple name formats but I don't see a way to specify one. This was listed as a bug in beta 1 but I don't see a fix in rc0. https://connect.microsoft.com/site642/feedback/details/434299/saml-2-0-nameformat-attribute-missing?wa=wsignin1.0#

    Any help would be appreciated.

    Thursday, March 11, 2010 4:43 PM

Answers

All replies