smal2.0 assertion - assertion Issuer configuration

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

smal2.0 assertion - assertion Issuer configuration

ravin
where should we configure this. it is always taking the deafult value "SAML user".. anybody who please let me know. this would really help.
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

Minh
Administrator
Hi Ravin,

Have you find the solution yet?

Thanks
Minh-Hai Nguyen
CONNECT Product Team Member
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

Tabassum
Administrator
Hi Ravin,
This is picked from entity message and the element is assertion-->samlIssuer -->issuer .. if you provide a valid value for this element, it is not going to be overridden by connect code.  if you don't provide a default value, then CONNECT will default to SAML user.
<urn1:samlIssuer>
   <urn1:issuer>CN=<valid identity provider>,OU=connect,O=FHA,L=Melbourne,ST=FL,C=US</urn1:issuer>
   <urn1:issuerFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</urn1:issuerFormat>
</urn1:samlIssuer>
Thanks
Tabassum
(CONNECT Product Team Member)
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

ravin
hi Tabassum thank you for the reply.  i dont know how can i change the message which entity component generate. this means do i need to change CONNECT code or is their a configuration  form where this is picked up.
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

ravin
In reply to this post by Minh
no I am still looking for an answer.
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

Minh
Administrator
In reply to this post by ravin
Hi Ravin,

You need to modify object parameters in your adapter code before calling CONNECT entity layer.  Hope this makes sense.  If not, you can post sample client here and I can see what I can do.
Minh-Hai Nguyen
CONNECT Product Team Member
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

ravin
In reply to this post by Tabassum
Hi tabassum: I am still getting the following after adding the assertion as you mentioned.


MA-1061 SAML Assertion: Assertion/saml2:Subject/saml2:NameID is an X.509 Subject Name Format and the value of, 'C=US, O=XXXXXXXX, CN=XXXXXXXX' does NOT appear to be in a conforming X.509 Subject Name format. See specifications: NwHIN Spec Reference: Authorization Framework 3.0: 3.3(2011) Authorization Framework 2.0: 3.3(2010); OASIS Reference : SAML 2.0: 8.3.3.
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

ravin
In reply to this post by Minh
hi Minh: I am not sure what object parameter you are talking about. which "object"?  what do you mean by "post sample client". DO you mean sample client request and response?

we are adding assertions based on the template which looks like below

<urn1:samlIssuer>
   <urn1:issuer>CN=<our CONNECT gateway machien name>,O=AEGISnetInc,C=US</urn1:issuer>
   <urn1:issuerFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</urn1:issuerFormat>
</urn1:samlIssuer> 

we have also created certificate with the same name (our CONNECT gateway machine name). it looks like DIL is reading the subject name from the SSL public cert . even if the change the value of issuer in the template it does not change it in the error message.

Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

Minh
Administrator
Hi Ravin,

What I mean is your client java code or .net or php to call CONNECT and how do you pass your object into CONNECT.

Hope this makes sense.

Thanks
Minh-Hai Nguyen
CONNECT Product Team Member
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

ravin
We are using java based  (apache axis) webservice to call CONNECT. i think the issue is DIL is looking at the x509 cert and getting the subject name from the "CN" value of the public cert and validating it. and for some reason it does not like it.

the error i am getting is

MA-1061 SAML Assertion: Assertion/saml2:Subject/saml2:NameID is an X.509 Subject Name Format and the value of, 'C=US, O=AEGISnetInc, CN=XXX.XXXX.XXXX' does NOT appear to be in a conforming X.509 Subject Name format. See specifications: NwHIN Spec Reference: Authorization Framework 3.0: 3.3(2011) Authorization Framework 2.0: 3.3(2010); OASIS Reference : SAML 2.0: 8.3.3.
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

Tabassum
Administrator
Can u confirm you are using this order
CN=<our CONNECT gateway machien name>,O=AEGISnetInc,C=US

The error message u have posted says:
'C=US, O=AEGISnetInc, CN=XXX.XXXX.XXXX'
Thanks
Tabassum
(CONNECT Product Team Member)
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

ravin
I tried both  ways but still getting the same error.
Reply | Threaded
Open this post in threaded view
|

Re: smal2.0 assertion - assertion Issuer configuration

Minh
Administrator
In reply to this post by ravin
Hi Ravin,

You probably did not provide valid x509 Subject name value format.  You probably miss value from
. organizational unit (organizationalUnitName, OU),
. state or province name (stateOrProvinceName, ST)

Please see this forum for x509 valid value format: https://stackoverflow.com/questions/6464129/certificate-subject-x-509 and https://www.ietf.org/rfc/rfc5280.txt

In additional to that, what I mean object parameter is "your java client (apache axis) method to call our CONNECT gateway and how you construct parameters".

Hope this will help you.
Minh-Hai Nguyen
CONNECT Product Team Member