Configuring SP for exclusion of AuthNStatements in response from IdP

[Drew Kimberly]

Hi,

I'm configuring simpleSaml as a SP which points to an in-house .NET IdP implementation. Our IdP does not include an AuthnStatement (not required in SAML 2.0 spec) within the response assertion. However, simpleSaml is throwing an exception which states "No AuthnStatement found in assertion(s)." This brings me to my 2 questions:

1) Do simplesamlPhp SP's require IdP responses to contain an AuthnStatement?

2) Is there any way to configure the config/SP in authsources.php such that the SP knows not to expect an AuthnStatement from the IdP?

Thanks in advance,

-Drew 

[Peter Schober]

* Drew Kimberly <andrew.e...@gmail.com> [2016-02-24 19:42]:

> I'm configuring simpleSaml as a SP which points to an in-house .NET IdP
> implementation. Our IdP does not include an AuthnStatement (not required in
> SAML 2.0 spec) within the response assertion.

What SAML Profile are you trying to use with SimpleSAMLphp?
For the WebSSO Browser SSO Profile <AuthnStatement>s are in fact
required, cf. SAML Profiles section 4.1.4.2., esp. line 547 in the
original Profile:
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
or line 627 in the "merged/Errata composite" Profiles spec:
https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf

For authorative guidance ask at saml...@lists.oasis-open.org.
-peter

[Drew Kimberly]

Thanks Peter, we were able to work with our IdP to get a correct implementation working :)