About the "Could not find the NameID node in a Subject node" error

[Athanasios Douitsis]

Hi all,

After seeing a very interesting presentation for simplasamlphp a
couple of weeks ago at Athens, I decided to take a look at
simplesamlphp. At this point I am trying to get it to work as a SAML2
SP and communicate with an Internet2 Shibboleth IdP (version 2.1 -
latest).
As you can probably guess from the subject, I am getting the despised
"Could not find the NameID node in a Subject node" error when
returning to the SP after authenticating. From previous messages on
the list, I can see that php>=5.2 is required, but I already have
php5-5.2.6_2 (on FreeBSD). So it shouldn't be that.

I tried taking a look at lib/SimpleSAML/XML/SAML20/AuthnRequest.php
and telling it to print $subject->nodeValue at the processSubject
method, but I can see that $subject->nodeValue is not human readable
(encrypted or base64?).

At this point any suggestion would be most welcome. I tried setting
everything to debug levels, but I am not getting anything useful. Is
there a way to tell the samlphp to dump the response it is receiving
from the IdP in a form that I can read? Should snoop at the headers
and see the posted response back to the samlphp with my browser? Any
other ideas?

Thanks very much for your time,
Athanasios Douitsis

[Andreas Åkre Solberg]

On 4. des.2008, at 14:10, Athanasios Douitsis wrote:

> After seeing a very interesting presentation for simplasamlphp a
> couple of weeks ago at Athens, I decided to take a look at
> simplesamlphp. At this point I am trying to get it to work as a SAML2
> SP and communicate with an Internet2 Shibboleth IdP (version 2.1 -
> latest).
> As you can probably guess from the subject, I am getting the despised
> "Could not find the NameID node in a Subject node" error when
> returning to the SP after authenticating. From previous messages on
> the list, I can see that php>=5.2 is required, but I already have
> php5-5.2.6_2 (on FreeBSD). So it shouldn't be that.

Hi Athanasios,

I would suggest that we try to take a look at the Authentication
Response sent from Shibboleth to simplesAMLphp, to see if there is
something strange in there. (in example if the NameID is missing)

If you use Firefox, try to install the LiveHttpHeaders plugin, and
watch the HTTP headers. Then you will see the POST data sent to the
SP. Copy the message into a base64 decoder...

http://ostermiller.org/calc/encode.html

Then show us the message :)

Alternatively, give us an URL and a test login account, and we may do
the liveheaders things.

Kind regards,
Andreas

[Athanasios Douitsis]

Thanks for the quick response Andreas,

I bese64decoded the response, and I can see a saml:EncryptedAssertion
with not too much human readable data inside. Do I need to deactivate
something on the IdP maybe? Or maybe one of the algorithms is not
supported?

Here is the start of the EncryptedAssertion Element:

<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="_1082fef318d4e64e051f4dfc4266f35a" Type="http://www.w3.org/2001/04/
xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="_9d76968c9bac91ea1b454a001deb1cdc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
....

Many thanks for your attention,
Athanasios

[Athanasios Douitsis]

Btw, has anyone had any success with the Internet2 IdP 2.1 (or even
the 2.0) and the simpleSAMLphp SP? I would love to hear that someone
has actually managed to do it.

Athanasios

[Janusz Ulanowski]

I guess I have similar problem.
I modified relying-party.xml in shib-idp-2.1
I changed:
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional" />
to:
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="never" />


But I think it's not the right solution.
for more info my metadata files in the simplest form from simplesaml.
saml20-sp-hosted.php:
$metadata = array(

'sp-site3' => array(
'host' => 'site3.domain',
'certificate' => 'site3.domain.crt',
'privatekey' => 'site3.domain.key',
'attributemap' => 'site3',
),
);

saml20-idp-remote.php:
$metadata['idp-site5'] = array (
'name' => 'Shib IDP site5',
'description' => 'shibboleth idp on site5',
'SingleSignOnService' =>
'https://site5.domain/idp/profile/SAML2/Redirect/SSO',
'certFingerprint' => 'XXXX',
);


Andreas, what do u think about it?

--
Janusz

[Peter Schober]

* Athanasios Douitsis <adui...@gmail.com> [2008-12-08 13:48]:

> Btw, has anyone had any success with the Internet2 IdP 2.1 (or even
> the 2.0) and the simpleSAMLphp SP? I would love to hear that someone
> has actually managed to do it.

Sure, this works just fine. Like Janusz said (and can be found in this
lists' archives), you'd need to disable encryption of NameIDs at the
Shib IdP, since simpleSAMLphp doesn't yet support encrypted NameIDs
(which is the default with Shib2).

If you don't want to disable this for all relying parties just add
another RelyingParty element to your conf/relying-party.xml, overrding
the SAML2SSOProfile configuration for this given SP:

<RelyingParty id="https://entityId.of.yoursp.example.org/saml2"
provider="<entityId of your IdP>"
defaultSigningCredentialRef="IdPCredential" >

<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"

encryptNameIds="never" />
</RelyingParty>

Note that unless you enabled automagic reloading of relying party
config in the Shib IdP this change will require you to restart the IdP
application (or the container).

cheers,
-peter

[Athanasios Douitsis]

Hi all,

Janusz and Peter, many thanks!. Apologies for not having gone through
the list archives more carefully.

Best Regards,
Athanasios



On Dec 8, 8:32 pm, Peter Schober <sp+lists.simples...@univie.ac.at>
wrote:
> * Athanasios Douitsis <aduit...@gmail.com> [2008-12-08 13:48]:

[Stéphane Gully]

Hello,

I also had problems configuring shib 2.1 with simplesaml and this
thread helped my a lot.
Thank you all.

My little contribution is this article which try to sum up these tricks:
http://www.zeitoun.net/articles/configure-simplesaml-1.3-sp-and-shibboleth-2.1-idp/start
I hope it will help someone.

regards,
Stéphane Gully

[Peter Schober]

* Stéphane Gully <stephan...@gmail.com> [2009-01-06 11:28]:

> I also had problems configuring shib 2.1 with simplesaml and this
> thread helped my a lot.
> Thank you all.

It was recently suggested on the shibboleth-users list to change
Shib's default to not encrypt NameIDs inside encrypted assertions, so
even this small config change at the IdP might not be necessary in
future releases.

Also note that simplesamlphp can generate metadata for
saml20-idp-remote.php from the IdP's SAML2 metadata (XML), this way
you'll also get the certFingerprint calculated automagically (and
don't need to fiddle with idp.crt and openssl.

cheers,
-peter

[Andreas Åkre Solberg]

On 6. jan.2009, at 11:28, Stéphane Gully wrote:

My little contribution is this article which try to sum up these tricks:
http://www.zeitoun.net/articles/configure-simplesaml-1.3-sp-and-shibboleth-2.1-idp/start
I hope it will help someone.

Thanks a lot. I hope you don't mind that I put a link up on 

http://rnd.feide.no/view/simplesamlphpdocs

Kind regards

Andreas

-- 

Andreas Åkre Solberg 

=andreas

http://rnd.feide.no

[Stéphane Gully]

On Wed, Jan 7, 2009 at 1:25 AM, Peter Schober
<sp+lists....@univie.ac.at> wrote:
> Also note that simplesamlphp can generate metadata for
> saml20-idp-remote.php from the IdP's SAML2 metadata (XML), this way
> you'll also get the certFingerprint calculated automagically (and
> don't need to fiddle with idp.crt and openssl.

Very interesting to keep it simple ! But how ? I don't see any
configuration variable on the official doc.
http://rnd.feide.no/content/using-simplesamlphp-service-provider

On Wed, Jan 7, 2009 at 7:37 AM, Andreas Åkre Solberg
<andreas...@uninett.no> wrote:
> Thanks a lot. I hope you don't mind that I put a link up on
> http://rnd.feide.no/view/simplesamlphpdocs

No problem.

regards,
Stéphane Gully

[Peter Schober]

* Stéphane Gully <stephan...@gmail.com> [2009-01-07 22:05]:

> > Also note that simplesamlphp can generate metadata for
> > saml20-idp-remote.php from the IdP's SAML2 metadata (XML), this way
> > you'll also get the certFingerprint calculated automagically (and
> > don't need to fiddle with idp.crt and openssl.
>
> Very interesting to keep it simple ! But how ? I don't see any
> configuration variable on the official doc.

Assess your simpleSAMLphp install via the web (possibly providing the
auth.adminpassword set in config/config.php), there's you'll find a
link entitled "XML to simpleSAMLphp metadata converter" (depending on
the language setting), leading to simething like
https://yourhost.example.org/<simpleSAMLphp-webpath>/admin/metadata-converter.php

cheers,
-peter

--
peter....@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140