NameIDFormat Config Option Not being Applied

[Topher Fangio]

Hi all,

I am having an issue with the IdP not accepting my authentication request due to the following error:

    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>

Now, I have read that this is caused by it requesting a transient Name ID, but I cannot for the life of me figure how to fix it. I have tried various combinations of the following in both the saml20-idp-remote.php file and saml20-sp-remote.php files under the appropriate metadata sections, but when viewing the debug information, it always sends the transient NameIDPolicy.

    'NameIdFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email'

    'NameIdFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'

    'NameIdPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email'

    'NameIdPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'

    'simplesaml.nameidattribute' => 'mail'

I feel like this should be really easy and that I'm probably making a stupid mistake somewhere, but I cannot figure it out. Can anyone point me in the right direction?

Below is the request that keeps getting sent even after changing the configuration.

    Session: 'uu' not valid because we are not authenticated.

    Saved state: '_a00eac6799c6eae47399bb764b634d19d21d3066eb'

    Sending SAML 2 AuthnRequest to 'http://sts.uu.edu/adfs/services/trust'

    Sending message:

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a00eac6799c6eae47399bb764b634d19d21d3066eb" Version="2.0" IssueInstant="2013-07-22T16:19:35Z" Destination="https://sts.uu.edu/adfs/ls/" AssertionConsumerServiceURL="https://uu.pharos360.com/ssp/module.php/saml/sp/saml2-acs.php/uu" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

        <saml:Issuer>https://uu.pharos360.com/ssp/module.php/saml/sp/metadata.php/uu</saml:Issuer>

        <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>

    </samlp:AuthnRequest>

    Redirect to 600 byte URL: https://sts.uu.edu/adfs/ls/?SA

Thanks so much for any help you can provide!

--

Topher Fangio

System Architect
Pharos Resources

office: 325.216.2908
mobile: 325.660.7141

[Peter Schober]

* Topher Fangio <topher...@pharosresources.com> [2013-07-22 18:33]:

> I am having an issue with the IdP not accepting my authentication
> request due to the following error:
>
> <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
>
> Now, I have read that this is caused by it requesting a transient Name ID,

That depends on the IDP, generally there's nothing wrong with
requesting a transient NameID.

> but I cannot for the life of me figure how to fix it.

Adding

'NameIDPolicy' => null,

should stop SSP from requesting any NameID format. If added to the
default-sp in authsources.php it will apply for all IdPs.

> I have tried various
> combinations of the following in both the saml20-idp-remote.php file and
> saml20-sp-remote.php files under the appropriate metadata sections, but
> when viewing the debug information, it always sends the transient
> NameIDPolicy.
>
> 'NameIdFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email'
> 'NameIdFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
> 'NameIdPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email'
> 'NameIdPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
> 'simplesaml.nameidattribute' => 'mail'

'NameIDPolicy' != NameIdPolicy, at least.
-peter

[Topher Fangio]

Hi Peter,

Thank you for the response! I mistyped the NameIdFormat in the e-mail I sent, but it was correct in my configuration files. However, after adding it in authsources.php, it is now changing the request properly.

Unfortunately, this did not change the error. I'm still getting the InvalidNameIdPolicy error.

Do you have any other thoughts on what could be causing this issue or how I can debug it further?

Thank you so much!

--

Topher Fangio

System Architect
Pharos Resources

office: 325.216.2908
mobile: 325.660.7141

-peter

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.

[Peter Schober]

* Topher Fangio <topher...@pharosresources.com> [2013-07-22 20:37]:

> Unfortunately, this did not change the error. I'm still getting the
> InvalidNameIdPolicy error.

I didn't say it was the error (that was your presumption). Given that
the IDP returned this error with transient /and/ with no nameid format
requested, and given that the IDP is using the MS-ADFS software I'd
either ask the owner of the IdP or the vendor of the IdP software what
nameid formats the software requires in order to interoperate.

(I doubt the invalid combination of AllowCreate together with
transient NameID -- which Tom Scavo pointed out in an old thread with
the subject "Requester/InvalidNameIDPolicy" -- makes any difference
here. Otherwise not requesting any format wouldn't cause the same
error.)

Check the list archives, I recall another thread this year with the
same problem, MS-ADFS always complaining about the NameID format.
-peter