Integration with Ping Identity

[Paul Skinner]

Good morning SimpleSAML group.

First off, thank you for the product.  I've used it in a number of different deployments and it generally works very well.  With that, I am no expert in SAML and am reaching out today for some help/guidance.

Our previous successes in deployment were all based on ADFS integrations and a client is migrating from this to Ping Identity.  I'm at a point where I'm exceeding my knowledge of SAML / SimpleSAML and what to do next.

Essentially, I'm up against Ping right now with the message:

Sorry, we are unable to satisfy the requested NameID format. Requested Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient. Format from the IdP: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Most of the guidance I've read thus far suggests adding "NameIDFormat" to the entry in sam20-idp-remote.php in styles such as

'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', 

or

 ‘NameIDFormat’ => ‘urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’,

Neither of which seem to have any effect on the result.

Does anyone have a sample configuration or breadcrumbs of a Ping Identity configuration that I might be able to review, just to see if I've managed to really bugger up during my attempts?

Many thanks.

P

[Nate Klingenstein]

Paul,

You may not need to specify a special NameIDFormat at all, depending on the defaults in simpleSAMLphp. I would imagine it defaults to transient ID’s as requested by Ping Federate in any case. The ADFS integrations you have done may have required this directive always.

Either way, you should be able to explicitly set that field as well:

'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'

Make sure you’re sending any data that had been in the subject field as an attribute as well if you want to release it to this partner.

Take care,
Nate.

> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.

[Paul Skinner]

Thanks Nate.

I've been playing with different NameIDFormats, but am often not getting the sense that the values I am specifying are actually going to the SP.

As I author this, I just changed between "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" and "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

with the error not really reflecting the change.

Am I just being daft?  This is just an array key in saml20-idp-remote.php right?   Is there another location where these values are defaulted or otherwise specified?

Many thanks. 

[chris phillips]

I would recommend using Firefox + the SAMLTracer plugin to see what the actual assertion looks like going over the wire to see what's happening. That should allow you to guide your next steps.  increasing the debug level on SSP would also help inform things too (I know, stating the obvious in these, but it has helped me on more than one occassion!)

Chris.

--

[Muhammad Anas]

Hi Paul, Did you try to change the format of NameID attribute on Pinge One to urn:oasis:names:tc:SAML:2.0:nameid-format:transient instead as described here? https://ping.force.com/Support/PingOne/PingOne-General/PingOne-error-code-SAML-215-Sorry-we-are-unable-to-satisfy-the-requested-NameID-format

Give it a try. It worked for me. Although I had to add a new attribute named SAML_SUBJECT and set its format to urn:oasis:names:tc:SAML:2.0:nameid-format:transient. Let me know if you need any help along the way.

Best regards,

Anas

[Paul Skinner]

Stellar.  That got it.

If Sr. Support staff at Ping would take a second, they might be able to actually help people out with this instead of fluffing them off.