Apache Knox for SAML2 authentication keeps using NameIDFormat entity instead of what is configured

Question

Apache Knox for SAML2 authentication keeps using NameIDFormat entity instead of what is configured

464 Views Asked by Douglas Stead At 20 October 2024 at 22:25

I am trying to enable SSO capabilities for Apache Zeppelin, using Apache Knox, which is configured to redirect auth requests to a Siteminder IdP.

The issue I am having is related to the NameID format configuration, and the signing configuration.

No matter what I configure in the sp/idp metadata, the NameID format used is

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

And the requests are always being sent with Signed requests set to true.

My SP configuration is as follows:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>
  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
   <AssertionConsumerService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1" isDefault="true"  Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
</SPSSODescriptor>

I activated a SAML tracer and attempted the logon user journey. The AuthNRequest being sent to the Siteminder IdP based on this configuration looks like this:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 AssertionConsumerServiceURL="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
                 Destination="https://test-siteminder.com/test/saml2sso"
                 ForceAuthn="false"
                 ID="_yp52mio0oj4ho2niijmnnaikgbkid9tnc5h5ear"
                 IsPassive="false"
                 IssueInstant="2020-02-17T10:19:24.279Z"
                 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                 ProviderName="pac4j-saml"
                 Version="2.0"
                 >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
              Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
              NameQualifier="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
              >https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client</saml2:Issuer>

I can see a signature value in the Parameters section of the request, which is why I'm assuming that the AuthNRequest is signed (though my understanding of this is minimal, so that could be a wrong assumption!).

Can anyone help explain why the NameIDFormat is coming through as entity, as opposed to unspecified? Does Apache knox support SAML1 protocols?

Thanks in advance!

Original Q&A

There are 1 best solutions below

**Sandeep More** · Answer 1

You mentioned NameID format to be urn:oasis:names:tc:SAML:2.0:nameid-format:entity in your post but in the code you pasted it is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, just a copy paste error ? Looks like protocolSupportEnumeration is also referencing SAML 1 protocol. Knox uses Pac4J under the hood which does not support SAML 1, this might be the reason.

Apache Knox for SAML2 authentication keeps using NameIDFormat entity instead of what is configured

There are 1 best solutions below

Related Questions in SAML

Related Questions in SAML-2.0

Related Questions in KNOX-GATEWAY

Related Questions in APACHE-KNOX

Trending Questions

Popular # Hahtags

Popular Questions