Set an attribute as MellonUser on mod_mellon

Question

I'm failing to setup MelonUser on my Apache configuration. The NAME_ID my IdP provides in really a session ID that changes every time, and it's the only data available in the Subject of the response.

The data I need (the real username) is contained on one of the Attributes, but I don't know how to make this the value of MellonUser

This is the Subject portion of my SAML response:

<Subject>
  <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">zxdRaLL4wCpt5ad1wecb2VEyDyPVI+nZWnQDex1qeBE=</NameID>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
     <SubjectConfirmationData InResponseTo="_3CA900360D4B24CC52F2D126E0A998CA"
           NotOnOrAfter="2019-04-24T15:55:49.758Z"
           Recipient="- REDACTED :) -"/>
     </SubjectConfirmation>
</Subject>

And the attributes I need:

<AttributeStatement>
...
    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
        <AttributeValue>THE_USERNAME_I_WANT</AttributeValue>
    </Attribute>
...
</AttributeStatement>

Can you help on how to put this attribute as the value of MellonUser ?

score 0 · Answer 1 · answered Apr 24 '19 at 19:26

I could not find how to manipulate the fields like I wanted, but discovered that as an SP I can control what is returned as NAME_ID.

Adding <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> on my SP metadata gave me what I wanted.

Set an attribute as MellonUser on mod_mellon

1 Answers1