Skip to main content

Change NameID format in SAML Response in WSO2 Identity Server

By default the SAML response of the WSO2 Identity Server will contain the tenant domain in the response. See the below response block which containts the tenant domain appended to the NAMEID element.

<saml2:NameIDFormat
="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@carbon.super
</saml2:NameID>

If you want to get rid of the tenant domain being appended you can follow one of the below methods to accomplish this


Method 1 - Disabling this option from the management console.

Log into the management console of the Identity Server

Expand your service provider configuration and select the 'Local & Outbound Authentication Configuration' option

Untick the option 'Use tenant domain in local subject identifier'

             

Now the tenant domain would not be displayed in your SAML response.
Method 2 - Setting this value for the file based Service Provider configurations

 Given that you have configured the service provider through a configuration file following the documentation [1], below are the steps which you would need to follow to get rid of the domain being appended to the Nameid in the SAML response.


1. Open up you service provider configuration file and then navigate to the configuration marked as <LocalAndOutBoundAuthenticationConfig> . Just above the closing tag of it add the below xml configuration. This will set the subject claim to be the given name instead of the domain qualified name.

<subjectClaimUri>http://wso2.org/claims/givenname</subjectClaimUri>

2. Next we need to add the below configuration which is highlighted under the claim configuration section of the same file.

<RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs> <InboundProvisioningConfig></InboundProvisioningConfig> <OutboundProvisioningConfig></OutboundProvisioningConfig> 

 <!-- ADD NEW CONFIG MENTIONED BELOW --> 

<ClaimConfig> 
       <LocalClaimDialect>true</LocalClaimDialect> 
</ClaimConfig> 
<PermissionAndRoleConfig></PermissionAndRoleConfig> 
</ServiceProvider>

After adding this restart the identity server. You would be able to see the NameID without the @carbon.super post-fix.

References :

[1] https://docs.wso2.com/display/IS500/Adding+a+Service+Provider+and+Identity+Provider+Using+Configuration+Files
Labels:

Comments

Post a Comment

Popular posts from this blog

Invoking external endpoints using the call mediator in wso2 api manager

Introduction In API Manager if you need to do any service chaining use cases the call mediator comes in handy. If you need to use the response received by invoking one endpoint and then use it to invoke another endpoint you can use the call mediator in API Manager. The call mediator behaves in a synchronous manner. Hence, mediation pauses after the service invocation and resumes from the next mediator in the sequence when the response is received. You can read more about the call mediator in the wso2 esb documentation [1] . In api manager 1.10.0 the call mediator works in the blocking mode. Prerequisite Before we can use the call mediator in API Manager 1.10.0 we need to make the following changes to some configs. We need to comment the jms transport sender in axis2_blocking_client.xml found in the location APIM_HOME/repository/conf/axis2. This will resolve the jms sender initialization issues.   <!--transportSender name="jms"        ...
1 comment
Read more

Processing large payloads with the esb script mediator iteratively

Overview WSO2 ESB uses Rhino engine to execute JavaScripts. Rhino engine converts the script to a method inside a Java class. Therefore, when processing large JSON data volumes, the code length must be less than 65536 characters, since the Script mediator converts the payload into a Java object. However, you can use the following alternative options to process large JSON data volumes. The script mediator which is used in ESB is powered by the Rhino engine. Therefore, when processing large JSON data volumes, the code length must be less than 65536 characters which is a limitation in the script mediator being used in the esb versions less than 5.0.0. In ESB 5.0.0 there is a higher capability to process larger payloads using script mediator. In order to process such large payloads we can follow the below two approaches. 1. Replace the javascript tranformation logic using java code by writing a custom mediator. [1] 2. Break down the large payload and execute them as sections using ...
Post a Comment
Read more

Adding error sequence to a custom sequence

In my previous posi i explained how to call an endpoint using the call mediator. Usually when errors are thrown from the call mediator we can handle them using a custom sequence. When call mediators fails the execution stops hence handling errors is very essential. For this post I will be modifying the same sequence which i created in the blog post [1] The change which we need to do is we need to modify the sequence definition to map with the error sequence as shown below. You can find the modified sequence here . <sequence xmlns="http://ws.apache.org/ns/synapse" name="countrySequenceWithError" onError="countryErrorSequence"> <property name="uri.var.countryCode" expression="$url:countryCode"/> <property name="REST_URL_POSTFIX" scope="axis2" action="remove"/>     <call blocking="true">         <endpoint>             <http method="get" uri-temp...
2 comments
Read more