If you need to create multiple domains on your localhost for testing purpose, here is what I do:
Create 1st domain as normal.
For 2nd (and each additional) domains:
1. use config wizard to set up the domains, until towards the end
2. on "Select Optional Configuration" screen, check "Administration Server", then you can select a different admin port (i believe you can also simply change the port after config, use config.xml with <listen-address>)
3. after domain is created, edit domain/bin/setDomainEnv.cmd, find
if "%DEBUG_PORT%"=="" (
set DEBUG_PORT=8453
)
change the port# to something new, e.g 2nd domain, set it to 8454, 3rd domain set it to 8455 etc...
While i'm at it, here is how to delete a domain:
1. delete "user-projects/domains/your-domain-folder" (or rename it)
2. go to middleware home (c:\oracle\middleware), in domain-registry.xml, delete your-domain entry
3. oh, remember to delete "user-projects/applications/your-domain-name" folder as well.
Monday, June 17, 2013
Tuesday, June 11, 2013
salesforce.com and Shibboleth SSO
It's an odd subject for me to blog about. My knowledge level of salesforce.com is practically 0; my knowledge level with Shibboleth: 0. I learned this word and the product a few days ago when I had to help diagnose an SSO issue between force.com and a client site.
There are tons of posts sharing their experience on how to make SSO work between force.com and Shibboleth. Everyone shared their success and failure stories. I mostly chewed on these posts and with trial and errors and made it work in our case. I thought I'd share what I learned.
Shibboleth version: 2.3.5.
On force.com site:
Part I
1. check SAML enabled (leave "User Provding Enabled" unchecked), chose SAML version 2.0
2. set issuer as provided by IDP: https://sso.example.edu/idp/shibboleth
3.import the certificate from the client Shibboleth IDP provided
4. select Federation ID
5. select Use ID is attribute, fill in attribute name and format (I collected these from a sample IDP response assertion sample, see the sample assertion below, towards the bottom of the payload)
6. Entity ID: https://saml.salesforce.com
7. HTTP Redirect
save changes
Edit screen dump:
view screen dump:
8. On SSO settings page, click "Download Metadata", save the file and send it to IDP, and tell IDP to update relying-part.xml to point to this file (MetadataProvider/@metadataFile)
Part II
Select Setup menu, search for "my domain", then select "Use the following Authentication Service My SAML IDP"
Part III
IDP side:
That did the trick.
Here is the sample meta data dump:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://saml.salesforce.com" validUntil="2023-06-11T21:25:53.105Z">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFBzCCA++gAwIBAgIQDJ4ihF+4VYzLxb+qASp7IzANBgkqhkiG9w0BAQUFADCBvDELMAk
GA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbi
...
xcHB+08lZiJzKwN/yg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.salesforce.com/?saml=MgoTx78aEPqYOjf4wsNP4y2cWzUwlVn8UjYAqjjrKUbZUNj9Y1hnr9fJpa" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0" isDefault="true">
<md:ServiceName xml:lang="en">Salesforce.com</md:ServiceName>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
here is a sample response assertion:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test.salesforce.com" ID="_70d94b9224a1f64d1bc1d08a7e0f82a8" InResponseTo="_2QbMVwlP6T4mfIKpaguiKDq1rvofuyOI2ueT5fZIQgZ9m6lSZGRWjkDAEd5sEc12NjwotQcMb_XPhwTjcxWcMxobH3fduZo8KoINe.8L0XGshPftH8XN1x907ZyfA4VWJ_3.LlbBtovzGixXRAOzLv8i6srSME.ujlR2g6KpU3x6auSu9Dv7kx5f3r_u32dPF0PEZKODHMtxlVXaycGYuMgC2w0s8.g" IssueInstant="2013-06-11T16:03:15.201Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.examle.edu/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_70d94b9224a1f64d1bc1d08a7e0f82a8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>papIEukge3hRwbglEkofGy/ybdI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>q7Sdhz8UC46qUE+yycOoQQ2bLorgZ6HJvONokm9aa1bv+bF4MAljS8p7M7aYeyDZnGk+rDyrQzO+ctL0IfjNZimE8dhW1dt1HDS/6cjyK7zKWZMueEHRWbZPs6GYOYHSYWr2DFplngJYbwZQ4CfNp4yCHjOuGoo0I9Tr0P24/V8b3RMNnN5XAK5GPR/nW+nYsCS8UWeMOcRLg+NvjMfVGczL2Z4XfUHT6Odj6ckiEPCQkzRwg26bl//Lz0zMgDN7QtX0BflMLuS09trDHKfblLCtXAakSjBfaythCxpKCvSIUgMk1FlwCRS+15/YYBF+dTGf8mWCCgFJ6ZF+Euz/Kw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDHzCCAgegAwIBAgIUHPSdb4ae0QA3fyeEIe7wKXi2oT0wDQYJKoZIhvcNAQEFBQAwGDEWMBQG
...
ztgLcVw=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_09daf40a77318b7f391fa99c5d2829de" IssueInstant="2013-06-11T16:03:15.201Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.examle.edu/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_09daf40a77318b7f391fa99c5d2829de">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>cJ6IIEUMHXI6f4qAhgnLl5RPqTA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>a1HCaukY6f6WfB65rSt5zDug+GoAiBohujqt5DSnjYBIg5X9VSCoLIop+sqG790h/v1fTuQyeOXCQpuC745sWn8lFNFPqR8SjZqMR2G6JDHjDtOWpgB4zjWcES3i6SAwSlnEL63WUj0vzCuqt6JYyUmg+xKr8kBVUz4MZEch08pKj4qbeao58WD1YXWBUeT6yHPe44YG9FoPHiP+SicQ/Ea4qwOtnogh6oF8aM4tpAcpyNw924uOPcDe5d20suBZ1DgTLM+B6nLWhxH5FDvmsU9TmGOWAQ63fGY+ZYKN+GFsieiYIPbT6XKOYcOwaxtYdZ7hoebhdv5f4sLvHxRjGQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDHzCCAgegAwIBAgIUHPSdb4ae0QA3fyeEIe7wKXi2oT0wDQYJKoZIhvcNAQEFBQAwGDEWMBQG
...
ztgLcVw=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://sso.examle.edu/idp/shibboleth">4nKARGsfororZJ89y5wDMkZJuE4=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="10.25.181.45" InResponseTo="_2QbMVwlP6T4mfIKpaguiKDq1rvofuyOI2ueT5fZIQgZ9m6lSZGRWjkDAEd5sEc12NjwotQcMb_XPhwTjcxWcMxobH3fduZo8KoINe.8L0XGshPftH8XN1x907ZyfA4VWJ_3.LlbBtovzGixXRAOzLv8i6srSME.ujlR2g6KpU3x6auSu9Dv7kx5f3r_u32dPF0PEZKODHMtxlVXaycGYuMgC2w0s8.g" NotOnOrAfter="2013-06-11T16:08:15.201Z" Recipient="https://test.salesforce.com"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2013-06-11T16:03:15.201Z" NotOnOrAfter="2013-06-11T16:08:15.201Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://saml.salesforce.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2013-06-11T16:03:14.850Z" SessionIndex="7143fd8ba813f44fa9fb11512f50175b00ab09b21b7ca7d442164ebbda6b8281">
<saml2:SubjectLocality Address="10.25.181.45"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>john.doe@examle.edu</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
There are tons of posts sharing their experience on how to make SSO work between force.com and Shibboleth. Everyone shared their success and failure stories. I mostly chewed on these posts and with trial and errors and made it work in our case. I thought I'd share what I learned.
Shibboleth version: 2.3.5.
On force.com site:
Part I
1. check SAML enabled (leave "User Provding Enabled" unchecked), chose SAML version 2.0
2. set issuer as provided by IDP: https://sso.example.edu/idp/shibboleth
3.import the certificate from the client Shibboleth IDP provided
4. select Federation ID
5. select Use ID is attribute, fill in attribute name and format (I collected these from a sample IDP response assertion sample, see the sample assertion below, towards the bottom of the payload)
6. Entity ID: https://saml.salesforce.com
7. HTTP Redirect
save changes
Edit screen dump:
view screen dump:
Part II
Select Setup menu, search for "my domain", then select "Use the following Authentication Service My SAML IDP"
Part III
IDP side:
- update relying-part.xml (as in step 8 above)
- set encryption to OFF
- set sign signature to ON
That did the trick.
Here is the sample meta data dump:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://saml.salesforce.com" validUntil="2023-06-11T21:25:53.105Z">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFBzCCA++gAwIBAgIQDJ4ihF+4VYzLxb+qASp7IzANBgkqhkiG9w0BAQUFADCBvDELMAk
GA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbi
...
xcHB+08lZiJzKwN/yg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.salesforce.com/?saml=MgoTx78aEPqYOjf4wsNP4y2cWzUwlVn8UjYAqjjrKUbZUNj9Y1hnr9fJpa" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0" isDefault="true">
<md:ServiceName xml:lang="en">Salesforce.com</md:ServiceName>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
here is a sample response assertion:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test.salesforce.com" ID="_70d94b9224a1f64d1bc1d08a7e0f82a8" InResponseTo="_2QbMVwlP6T4mfIKpaguiKDq1rvofuyOI2ueT5fZIQgZ9m6lSZGRWjkDAEd5sEc12NjwotQcMb_XPhwTjcxWcMxobH3fduZo8KoINe.8L0XGshPftH8XN1x907ZyfA4VWJ_3.LlbBtovzGixXRAOzLv8i6srSME.ujlR2g6KpU3x6auSu9Dv7kx5f3r_u32dPF0PEZKODHMtxlVXaycGYuMgC2w0s8.g" IssueInstant="2013-06-11T16:03:15.201Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.examle.edu/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_70d94b9224a1f64d1bc1d08a7e0f82a8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>papIEukge3hRwbglEkofGy/ybdI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>q7Sdhz8UC46qUE+yycOoQQ2bLorgZ6HJvONokm9aa1bv+bF4MAljS8p7M7aYeyDZnGk+rDyrQzO+ctL0IfjNZimE8dhW1dt1HDS/6cjyK7zKWZMueEHRWbZPs6GYOYHSYWr2DFplngJYbwZQ4CfNp4yCHjOuGoo0I9Tr0P24/V8b3RMNnN5XAK5GPR/nW+nYsCS8UWeMOcRLg+NvjMfVGczL2Z4XfUHT6Odj6ckiEPCQkzRwg26bl//Lz0zMgDN7QtX0BflMLuS09trDHKfblLCtXAakSjBfaythCxpKCvSIUgMk1FlwCRS+15/YYBF+dTGf8mWCCgFJ6ZF+Euz/Kw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDHzCCAgegAwIBAgIUHPSdb4ae0QA3fyeEIe7wKXi2oT0wDQYJKoZIhvcNAQEFBQAwGDEWMBQG
...
ztgLcVw=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_09daf40a77318b7f391fa99c5d2829de" IssueInstant="2013-06-11T16:03:15.201Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.examle.edu/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_09daf40a77318b7f391fa99c5d2829de">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>cJ6IIEUMHXI6f4qAhgnLl5RPqTA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>a1HCaukY6f6WfB65rSt5zDug+GoAiBohujqt5DSnjYBIg5X9VSCoLIop+sqG790h/v1fTuQyeOXCQpuC745sWn8lFNFPqR8SjZqMR2G6JDHjDtOWpgB4zjWcES3i6SAwSlnEL63WUj0vzCuqt6JYyUmg+xKr8kBVUz4MZEch08pKj4qbeao58WD1YXWBUeT6yHPe44YG9FoPHiP+SicQ/Ea4qwOtnogh6oF8aM4tpAcpyNw924uOPcDe5d20suBZ1DgTLM+B6nLWhxH5FDvmsU9TmGOWAQ63fGY+ZYKN+GFsieiYIPbT6XKOYcOwaxtYdZ7hoebhdv5f4sLvHxRjGQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDHzCCAgegAwIBAgIUHPSdb4ae0QA3fyeEIe7wKXi2oT0wDQYJKoZIhvcNAQEFBQAwGDEWMBQG
...
ztgLcVw=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://sso.examle.edu/idp/shibboleth">4nKARGsfororZJ89y5wDMkZJuE4=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="10.25.181.45" InResponseTo="_2QbMVwlP6T4mfIKpaguiKDq1rvofuyOI2ueT5fZIQgZ9m6lSZGRWjkDAEd5sEc12NjwotQcMb_XPhwTjcxWcMxobH3fduZo8KoINe.8L0XGshPftH8XN1x907ZyfA4VWJ_3.LlbBtovzGixXRAOzLv8i6srSME.ujlR2g6KpU3x6auSu9Dv7kx5f3r_u32dPF0PEZKODHMtxlVXaycGYuMgC2w0s8.g" NotOnOrAfter="2013-06-11T16:08:15.201Z" Recipient="https://test.salesforce.com"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2013-06-11T16:03:15.201Z" NotOnOrAfter="2013-06-11T16:08:15.201Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://saml.salesforce.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2013-06-11T16:03:14.850Z" SessionIndex="7143fd8ba813f44fa9fb11512f50175b00ab09b21b7ca7d442164ebbda6b8281">
<saml2:SubjectLocality Address="10.25.181.45"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>john.doe@examle.edu</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Subscribe to:
Posts (Atom)