Is NameID required in SAML2 Response Subject?
1,481 views
Skip to first unread message
gou...@wrlc.org
Feb 13, 2017, 4:06:28 PM2/13/17
to SimpleSAMLphp
I am using SSP 1.14 as a service provider. I've successfully integrated with 6 IdPs, including Shibb, AD FS and Azure AD. I am trying to add another AD FS and having trouble. At first I was getting an "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" error in their response. I figured out how to change the specification of the NameIDFormat to "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" in my auth request. Now I get a status:Success response but SSP errors (WSOD) with this message:
SimpleSAML_Error_Exception: Error 4096 - Argument 2 passed to sspmod_saml_SP_LogoutStore::addSession() must be of the type array, null given, called in /usr/local/webapps/simplesamlphp-1.14.10/modules/saml/www/sp/saml2-acs.php on line 190
I don't see a NameID in the SAML Subject that I receive...and that looks like the 2nd argument on the call on line 190, so I'm thinking that SSP can't handle a missing NameID? Is that a bug or is NameID required by the SAML2 protocol? Is there any way I can get SSP to accept this response?
I've asked the IdP to add the NameID but I'm not confident they will or know how. . .and I'm clueless about AD FS. So I thought I would check here.
thanks, Don
Peter Schober
Feb 13, 2017, 5:44:05 PM2/13/17
to SimpleSAMLphp
* gou...@wrlc.org <gou...@wrlc.org> [2017-02-13 22:06]:
request/require one (not specifically request the "unspecified" one).
For an SSP SP you'd have to set the format to NULL, IIRC, in the
saml:sp authsource.
> I don't see a NameID in the SAML Subject that I receive...and that
> looks like the 2nd argument on the call on line 190, so I'm thinking
> that SSP can't handle a missing NameID? Is that a bug or is NameID
> required by the SAML2 protocol? Is there any way I can get SSP to
> accept this response?
As long as I can remember SSP indeed insisted on recieving a NameID
(which is optional in SAML, fyi). There should be an issue for this in
Github, and maybe it's already fixed, but I don't think it's part of a
released SSP version yet.
*But* when I encountered that issue SSP presented an UNHANDLED
EXCEPTION during SSO, with the reason clearly stated (AFAIR), so no
digging through code was necessary.
So this may or may not in fact be your issue.
-peter
> I am using SSP 1.14 as a service provider. I've successfully integrated
> with 6 IdPs, including Shibb, AD FS and Azure AD. I am trying to add
> another AD FS and having trouble. At first I was getting an
> "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" error in their
> response. I figured out how to change the specification of the NameIDFormat
> to "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" in my auth
> request.
If you don't require a specific NameID format then don't
> with 6 IdPs, including Shibb, AD FS and Azure AD. I am trying to add
> another AD FS and having trouble. At first I was getting an
> "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" error in their
> response. I figured out how to change the specification of the NameIDFormat
> to "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" in my auth
> request.
request/require one (not specifically request the "unspecified" one).
For an SSP SP you'd have to set the format to NULL, IIRC, in the
saml:sp authsource.
> I don't see a NameID in the SAML Subject that I receive...and that
> looks like the 2nd argument on the call on line 190, so I'm thinking
> that SSP can't handle a missing NameID? Is that a bug or is NameID
> required by the SAML2 protocol? Is there any way I can get SSP to
> accept this response?
(which is optional in SAML, fyi). There should be an issue for this in
Github, and maybe it's already fixed, but I don't think it's part of a
released SSP version yet.
*But* when I encountered that issue SSP presented an UNHANDLED
EXCEPTION during SSO, with the reason clearly stated (AFAIR), so no
digging through code was necessary.
So this may or may not in fact be your issue.
-peter
Message has been deleted
misu...@gmail.com
Feb 13, 2017, 10:37:23 PM2/13/17
to SimpleSAMLphp, gou...@wrlc.org
I was having the same issue, try the following fix.
Even though interoperability profiles "require" a NameID, the SAML 2.0 standard does not require it to be present in assertions.
Thijs Kinkhorst
Feb 14, 2017, 3:24:01 AM2/14/17
to simple...@googlegroups.com
On 13-02-17 23:44, Peter Schober wrote:
> As long as I can remember SSP indeed insisted on recieving a NameID
> (which is optional in SAML, fyi). There should be an issue for this in
> Github, and maybe it's already fixed, but I don't think it's part of a
> released SSP version yet.
It is already fixed in the saml2 library:
> As long as I can remember SSP indeed insisted on recieving a NameID
> (which is optional in SAML, fyi). There should be an issue for this in
> Github, and maybe it's already fixed, but I don't think it's part of a
> released SSP version yet.
https://github.com/simplesamlphp/saml2/commit/8a83fc81aa74dd0ed085e397ffaf1b676994dc42
But indeed not part of a released SSP version yet.
Cheers,
Thijs
Gourley, Don
Feb 14, 2017, 7:06:06 AM2/14/17
to simple...@googlegroups.com
Thanks for all your responses and confirmation that SSP requires NameID but SAML2 does not.
On Mon, Feb 13, 2017 at 5:44 PM, Peter Schober <peter....@univie.ac.at> wrote:
If you don't require a specific NameID format then don't
request/require one (not specifically request the "unspecified" one).
For an SSP SP you'd have to set the format to NULL, IIRC, in the
saml:sp authsource.
I tried setting NameIDPolicy to null in authsources.php but that also gave me the bad argument type error. when the response was returned.
I will try to get the IdP to send NameID and otherwise use the patch that misurito pointed me to until the real fix in the saml library is released in SSP. Should I submit an issue to github to get that fix in or will it routinely be included in 1.15 whenever that is released?
-Don
Reply all
Reply to author
Forward
0 new messages