removing saml:AuthenticatingAuthority from assertions for office365 compatibility (when using external IDP as auth source)
21 views
Skip to first unread message
Enrico Cavalli
Nov 15, 2021, 8:41:32 AM11/15/21
to 'Olav Morken' via SimpleSAMLphp
Hi all I have written a very small custom processing filter to remove saml:AuthenticatingAuthority from assertions otherwise when accessing office365
I was always getting this error:
AADSTS500132: Assertion is malformed and cannot be read.
The scenario is this: we have the default authentication source which is active directory, and we are experimenting with RSA 2FA implemented as
an external IDP (with multi auth).
When using the RSA IDP as authentication source, SimpleSAMLphp assertions contain this node:
<saml:AuthenticatingAuthority>ENTITY_ID_OF_OUR_RSA_IDP</saml:AuthenticatingAuthority>
I empirically discovered that simply removing this information from the state solves the problem, so in it's essence the auth proc filter does this:
unset($state['saml:sp:State']['saml:AuthenticatingAuthority']);
unset($state['saml:sp:State']['PersistentAuthData']['saml:AuthenticatingAuthority']
It works .... but
unset($state['saml:sp:State']['PersistentAuthData']['saml:AuthenticatingAuthority']
It works .... but
1) is there any option to achieve the same result? maybe I just missed it
2) is it a correct way to approach the issue ?
Thank you for your attention.
Regards,
Enrico.
--
Enrico Cavalli - enrico....@gmail.com
skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94 8ADE BC4B 43A7 0485 30E5
Enrico Cavalli - enrico....@gmail.com
skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94 8ADE BC4B 43A7 0485 30E5
Reply all
Reply to author
Forward
0 new messages