Cannot map the persistent NameIdentifier to a non LDAP store attribute eg. with virtual attributes

  • 7018540
  • 27-Jan-2017
  • 31-Jan-2017

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2

Situation

Access Manager 4.2.2 acting as a federation identity provider for Office 365 using SAML protocol.

The AD objectGUID attribute that is sent in assertion by default is not guaranteed to be unique in a customers environment, so we created a virtual attribute to make it unique.
When we go into the 'Authentication Response' configuration TAB for the Office 365 SAML2 SP, there's no option to specify what attribute to send with the persistent nameidentifier. Using the Property Name “SAML2_OFFICE365_NAMEID_ATTRIBUTE_NAME” (given in https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/b12ir4yc.html#b12irbqe), we can map any of the LDAP attributes of a User Store, but not anything outside this.

In our setup, we generated a virtual attribute with some javascript to make the immutableID unique, but we did not save it on the user store - we simply wanted to retrieve it as a virtual attribute. However we cannot send a virtual attribute when using “SAML2_OFFICE365_NAMEID_ATTRIBUTE_NAME” property. We mapped it to the virtual attribute name but never sent it.

Resolution

Apply 4.2.3 and do the following to make sure a virtual attribute is sent as NAMEID value to OFFICE365:

1. Create a virtual attribute.

This virtual attribute configuration should ensure that the final value of the virtual attribute is a base64 encoded value. It could be achieved either by

a) virtual attribute retrieving a value stored in base64 encoded format from an attribute source(ldap or database)  or
b) after retrieving the plaintext value from attribute source (ldap or database) virtual attribute attribute transformation advanced javascript can convert it to base64 encoded value

2. In the SAML options of the NAM SP configuration for Office 365, add a property name/value pair as follows:
Property Name: SAML2_OFFICE365_NAMEID_ATTRIBUTE_NAME
Property Value: <virtual attribute name>

This step will ensure that NAMEID value is fetched based on this name. At this point, the name is considered as a user attribute.

3. Add the virtual attribute created in the step 1 to the attribute set created for the SAML SP configuration for Office 365. This step ensures that the name specified in SAML2_OFFICE365_NAMEID_ATTRIBUTE_NAME is mapped to the virtual attribute with that name. If the virtual attribute is not added to the attribute set, NAM will consider the name as a normal ldap attribute name and it may fail if the ldap attribute name is not found in the userstore.

Additional Information

When we try and use the virtual attribute name with the SAML property, we get the following:

Local Response:
  <ldap:QueryResponse(urn:novell:ldap:2006-02)>:ns=urn:novell:ldap:2006-02 nspfx=ldap itemIdRef=ivkyw3nc3z21wv ti
meStamp=2016-11-16T13:32:14Z
   <ldap:Status(urn:novell:ldap:2006-02)>:code=ldap:OK
   <ldap:Data(urn:novell:ldap:2006-02)>:
      Markup (Count: 1):
       UniqueId: ivkyw3ndhni1wx
        Markup: Name: IDSISISMetaDataPolicy
           access:
Never
           requestor name: local
           requestor id: local
           xpath: /UserAttribute[@ldap:targetAttribute="eMailAddrWithSwitchedDomain"]
           display name: LDAP User Attribute Named eMailAddrWithSwitchedDomain
    itemIdRef: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUs
erAttribute~5B~40ldap~3AtargetAttribute~3D~22eMailAddrWithSwitchedDomain~22~5D </amLogEntry>

<amLogEntry> 2016-11-16T13:32:14Z DEBUG NIDS WSC:
Method: WSCQRequestThread.lookupAtLocalService
Thread: ajp-bio-127.0.0.1-9019-exec-23
Response removed because null or zero objects! </amLogEntry>

<amLogEntry> 2016-11-16T13:32:14Z DEBUG NIDS WSC:
Method: WSC.A
Thread: ajp-bio-127.0.0.1-9019-exec-23
Completed Request. Response:     WSCResponse:
      Status: All Failure
        WSCQResponseEntry:
          WSCQLDAPToken:
           Model Entry: UserAttribute
           Unique Id: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~
40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22eMailAddrWithSwitchedDomain~22~5D
           Select String: /UserAttribute[@ldap:targetAttribute="eMailAddrWithSwitchedDomain"]

          Status: DataNotAvailable
    WSCQResponse: </amLogEntry>

<amLogEntry> 2016-11-16T13:32:14Z WARNING NIDS Application: AM#300105036: AMDEVICEID#28142828381AE11D: AMAUTHID#2
F4B9499A7B89F9BE101514463146429:  Assertion NameID value is null, check user cn=ncashell,ou=sa,o=system attribute
 eMailAddrWithSwitchedDomain value. </amLogEntry>

We try and retrieve the attribute from the LDAP store - but it is not an LDAP attribute. If we change the config so that we add the virtual attribute to the attributestatement, we clearly see that try and pull the info from another virtual attrib source

Method: WSC.A
Thread: ajp-bio-127.0.0.1-9019-exec-22
Completed Request. Response:     WSCResponse:
      Status: All Success
        WSCQResponseEntry:
          WSCQLDAPToken:
           Model Entry: UserAttribute
           Unique Id: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~
40~2FUserAttribute~5B~40ldap~3AtargetAttribute~3D~22mail~22~5D
           Select String: /UserAttribute[@ldap:targetAttribute="mail"]

          Status: OK
          Location Cookie: com.novell.nidp.liberty.wsf.idsis.ldapservice.IDSISLDAPService
          Value:
            <ldap:UserAttribute(urn:novell:ldap:2006-02)>:             Id: ivkyqtov2du1vp
             Target Attribute: mail

             <ldap:Value(urn:novell:ldap:2006-02)>:              Encoding: none
              Value: *****

        WSCQResponseEntry:
          WSCQLDAPToken:
           Model Entry: VirtualAttribute
           Unique Id: NEPXurn~3Anovell~3Aldap~3A2006-02~2Fldap~3AVirtualAttribute~40~40~40~40WSCQLDAPToken~40~40~
40~40~2FVirtualAttribute~5B~40ldap~3AtargetAttribute~3D~22eMailAddrWithSwitchedDomain~22~5D
           Select String: /VirtualAttribute[@ldap:targetAttribute="eMailAddrWithSwitchedDomain"]

          Status: OK
          Location Cookie: com.novell.nidp.liberty.wsf.idsis.ldapservice.IDSISLDAPService
          Value:
            <ldap:VirtualAttribute(urn:novell:ldap:2006-02)>:             Id: ivkyqtp03rb1vr
             Target Attribute: eMailAddrWithSwitchedDomain

             <ldap:Value(urn:novell:ldap:2006-02)>:              Encoding: none
              Value: *****

    WSCQResponse: </amLogEntry>


The difference is we use:

Select String: /VirtualAttribute[@ldap:targetAttribute="eMailAddrWithSwitchedDomain"]

versus
Select String: /UserAttribute[@ldap:targetAttribute="eMailAddrWithSwitchedDomain"]