Re: ADFS 2.0 IDP / SimpleSAMLphp SP with SAML 2.0

[Peter Schober]

* Djazz <xbeu...@djazz-univ.net> [2013-04-17 18:55]:
> If the logon is successful, I get a simpleSAMLphp exception :
> Requester/InvalidNameIDPolicy

Grab the SAML2 authentication request from the browser (easiest with
Olav's SAML Tracer firefox plugin), then you'll see the NameID policy
SSP requested (from your config below it's the SAML2.0 "unspecified"
NameID format).
Then find out what your IdP vendor supports or does not support.
Then you'll know which side needs changing.

> When I go to https://idp.adfs2accounts.lan/adfs/ls/idpinitiatedsignon.aspx
> Authenticate, then I'm redirected to the sp serveur
> (https://sp.adfs2resources.lan/module.php/saml/sp/saml2-acs.php/adfs2poc)
> but I get a 500 HTTP Error.

As that's an error from your webserver there will be something in your
webserver's error log file.

> Here is the authsources.php sample :
> 'adfs2poc' => array(
> 'saml:SP',
> 'idp' => NULL, // Display a list of configured IDP
> 'privatekey' => 'adfs2poc.pem',
> 'certificate' => 'adfs2poc.crt',
> 'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified',
> ),

Try `NameIDPolicy => null`, that causes no NameIDPolicy at all to be
sent in the authentication request from SSP (exactly what it says in
the comment above that setting in the default authsources.php), so the
IdP cannot complain about mismatches.
-peter

[Djazz]

Hi Peter,

Thanks for your reply.

I set the 'NameIDPolicy' => NULL, but I still get an error.

Backtrace:

0 /var/simplesamlphp/www/module.php:180 (N/A)

Caused by: Exception: Missing <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.

Backtrace:

7 /var/simplesamlphp/lib/SAML2/Assertion.php:262 (SAML2_Assertion::parseSubject)

6 /var/simplesamlphp/lib/SAML2/Assertion.php:235 (SAML2_Assertion::__construct)

5 /var/simplesamlphp/lib/SAML2/EncryptedAssertion.php:93 (SAML2_EncryptedAssertion::getAssertion)

4 /var/simplesamlphp/modules/saml/lib/Message.php:350 (sspmod_saml_Message::decryptAssertion)

3 /var/simplesamlphp/modules/saml/lib/Message.php:549 (sspmod_saml_Message::processAssertion)

2 /var/simplesamlphp/modules/saml/lib/Message.php:523 (sspmod_saml_Message::processResponse)

1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:75 (require)

0 /var/simplesamlphp/www/module.php:135 (N/A)

In the ADFS 2.0 server, I have no rules as I think I do not need transformations. Am I wrong ?

If I am wrong, do you have any ADFS 2.0 configuration/rules sample to work with simpleSAMLphp as a SP with SAML 2.0 ?

Thanks

Kind regards

[Peter Schober]

No need to Cc: me on every email to the list.

* Djazz <xbeu...@djazz-univ.net> [2013-04-23 11:04]:

> 0 /var/simplesamlphp/www/module.php:180 (N/A)
> Caused by: Exception: Missing <saml:NameID> or <saml:EncryptedID> in
> <saml:Subject>.

So it seems it doesn't work when you request transient NameID format
(because your IdP does not support that; at least that was my initial
interpretation of "Requester/InvalidNameIDPolicy"; you could just read
your software's documentation or ask the vendor to find out for sure,
of course).
By not requesting a NameID format at all the IdP seemingly won't send
any which in turn does not seem to be supported by your SP (which
sounds like a bug in SSP to me -- AFAIR NameIDs are optional).

If the requested NameID is all that's wrong the solution is both
simple and obvious: Request a NameID your IdP supports.

> In the ADFS 2.0 server, I have no rules as I think I do not need
> transformations. Am I wrong ?
> If I am wrong, do you have any ADFS 2.0 configuration/rules sample
> to work with simpleSAMLphp as a SP with SAML 2.0 ?

No. And no idea what any of that means.
-peter