Re: Requester/InvalidNameIDPolicy Error with SimpleSAMLPHP SP and ADFS IDP

[Factum IT BV]

You need to specify a name identifier in your claims rules on the simpleSAMLphp relying party pipeline. You’re not currently specifying a NameID and it’s failing on the simpleSAMLphp side as a result… by default it’s expecting transient format.

Try creating a transform rule that transforms an AD attribute into the appropriate name identifier format (transient)..

Here’s an example of a custom rule using UPN as the anchor …

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

Regards,

Mylo

From: Ray Hwang
Sent: ‎Tuesday‎, ‎December‎ ‎16‎, ‎2014 ‎7‎:‎54‎ ‎PM
To: simple...@googlegroups.com

After looking all over the Internet, particularly

• ADFS 2.0 InvalidNameIDPolcy
• Using SimpleSAMLphp to Authenticate against ADFS 2.0 IdP
• Requester/InvalidNameIDPolicy

I tried all the suggested modifications to authsource.php and metadata php. Nothing worked.

Here is my authsource.php

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'idp' => 'http://domain.com/adfs/services/trust',

I used the XML to simpleSAMLphp metadata converter to generate the saml20-idp-remote.php

So when I access the page, SimpleSAMLPHP correctly redirects me to the IDP login page. I decoded the SAML Request:

<samlp:AuthnRequest 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    ID="_4e03333c7aa76314d965e05f8fcdd3e1f4c5be96c8" 
    Version="2.0" 
    IssueInstant="2014-12-11T19:41:50Z" 
    Destination="https://domain.com/adfs/ls/" 
    AssertionConsumerServiceURL="https://sub.domain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

    <saml:Issuer>
        https://su.bdomain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
    </saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>

</samlp:AuthnRequest>

After logging in with a valid test account, I'm redirected back to my site with the error.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:179 (N/A)
Caused by: sspmod_saml_Error: Requester/InvalidNameIDPolicy
Backtrace:
3 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:385 (sspmod_saml_Message::getResponseError)
2 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:495 (sspmod_saml_Message::processResponse)
1 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:134 (N/A)

I tried setting different NameIDPolicy but none of them worked.

    //'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

Thanks!

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Peter Schober]

Cf. the thread with the title
"ADFS 2.0 IDP / SimpleSAMLphp SP with SAML 2.0"
from April 2013. (I don't see how I can get the URL to a thread in
Google Groups.)

* Ray Hwang <yarg...@gmail.com> [2014-12-16 19:54]:

> Here is my authsource.php
>
> 'default-sp' => array(
> 'saml:SP',
> 'privatekey' => 'saml.pem',
> 'certificate' => 'saml.crt',
> 'idp' => 'http://domain.com/adfs/services/trust',

Not setting NameIDPolicy SSP will default to requesting a transient
NameID, as you've seen:

> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>

in your SSP SP's decoded authentication request.

> After logging in with a valid test account, I'm redirected back to my site
> with the error.

Looks like the ADFS SAML IDP does not like/support transient NameIDs.
Setting
'NameIDPolicy' => null,
in your authsource will stop SimpleSMALphp from requesting any
specific NameID format and so should avoid this error.

As per the thread I mentioned above this might shift the problem to
another error, that the MS-ADFS IDP will not release /any/ NameID if
none is requested, which in turn is not supported by SimpleSAMLphp (at
least not in 2013, when I called this a bug in SimpleSAMLphp).

> I tried setting different NameIDPolicy but none of them worked.
>
> //'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
> //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
> //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
> //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

We can't know what formats your MS-ADFS IDP is configured to support.
Even if you know one format, requesting that specific format from any
other IDP would probably break there just the same. So unless you
positively /need/ one specific NameID format, don't request one.

* Factum IT BV <in...@efactum.net> [2014-12-16 22:25]:

> You need to specify a name identifier in your claims rules on the
> simpleSAMLphp relying party pipeline. You're not currently
> specifying a NameID and it's failing on the simpleSAMLphp side as a

> result... by default it's expecting transient format.

SSP is not "expecting transient format" (and failing if another format
were part of the SAML response), it is /requesting/ transients and the
IDP falls over with a SAML error message. At least that's how I read it.

> Try creating a transform rule that transforms an AD attribute into
> the appropriate name identifier format (transient)..
>

> Here's an example of a custom rule using UPN as the anchor ...

>
> c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
> => issue(Type =
> "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
> Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value =
> c.Value, ValueType = c.ValueType,
> Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
> = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

No idea what this does (I don't speak Claims Transformation Rules
Language), but if that's generating a transient NameID based on a
stable, user-identifying attribute ("UPN"[1]), that's clearly wrong[2].
[1] http://msdn.microsoft.com/en-us/library/ms680857%28v=vs.85%29.aspx
[2] SAML Core, 8.3.8 Transient Identifier

-peter

[Factum IT BV]

Hi Peter,

>No idea what this does (I don't speak Claims Transformation Rules
>Language), but if that's generating a transient NameID based on a
>stable, user-identifying attribute ("UPN"[1]), that's clearly wrong[2].
>[1] http://msdn.microsoft.com/en-us/library/ms680857%28v=vs.85%29.aspx
>[2] SAML Core, 8.3.8 Transient Identifier

The objective was to get him up and running, rather than promoting the use of stable, user-identifying attributes.  I understand this is misusing name identifiers according to SAML core.  To get Ray on the right track 😉, privacy-bearing claims can be generated for use in persistent or transient identifiers (in relying parties of AD FS), as described here.

[3] http://blogs.msdn.com/b/card/archive/2010/02/17/name-identifiers-in-saml-assertions.aspx

Regards,

Mylo