simpleSAMLphp SP error "Missing <saml:Issuer> in assertion"
Matthew R
SAML component from ComponentSpace). After I login at the IDP and
return to the SP, I get this error messge from simpleSAMLphp:
Missing <saml:Issuer> in assertion.
0: D:\Matt\Projects\ID Mgmt\Federation\simplesamlphp-sp-1.5.1\lib
\SAML2\Assertion.php:205 (SAML2_Assertion::__construct)
1: D:\Matt\Projects\ID Mgmt\Federation\simplesamlphp-sp-1.5.1\lib
\SAML2\Response.php:37 (SAML2_Response::__construct)
2: D:\Matt\Projects\ID Mgmt\Federation\simplesamlphp-sp-1.5.1\lib
\SAML2\Message.php:473 (SAML2_Message::fromXML)
3: D:\Matt\Projects\ID Mgmt\Federation\simplesamlphp-sp-1.5.1\lib
\SAML2\HTTPPost.php:93 (SAML2_HTTPPost::receive)
4: D:\Matt\Projects\ID Mgmt\Federation\simplesamlphp-sp-1.5.1\modules
\saml\www\sp\saml2-acs.php:11 (require)
5: D:\Matt\Projects\ID Mgmt\Federation\simplesamlphp-sp-1.5.1\www
\module.php:137 (N/A)
I'm probably missing something simple, but it looks like the
SAMLResponse from the IDP has an Issuer element. Here's the XML from
a test response:
==== start ====
<samlp:Response ID="_fab3bb8e-ef59-496a-832b-182b6703c594"
Version="2.0" IssueInstant="2010-01-15T20:55:26Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">http://mrutherford2k3.airgroup.alaskaair.com/
SAML2IdentityProvider/</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-
exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
sha1" />
<Reference URI="#_fab3bb8e-ef59-496a-832b-182b6703c594">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /
>
<DigestValue>aGxzDo0Qnwy4XdUGHR1lcuVw9O8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Pf2MPO/fG/
DdSo3pUmfeV5Dyq9KCTA6JQVDFW9RFB8Q2x3zFOdUuiF5xCHnLWJzu8Q6aPs5m9Z3zYG1aLvMzZSMwYcp5qC79fjKqp9fa4m1Axzack6/
jh/v/ECxteKhs3v8knsHtt+YJBgx0El16PsVQPxDI6ey7mzHRO5Ko9z0=</
SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIBnjCCAQcCBEbTmdAwDQYJKoZIhvcNAQEEBQAwFjEUMBIGA1UEAxMLd3d3LmlkcC5jb20wHhcNMDcwODI4MDM0MzEyWhcNMTcwODI1MDM0MzEyWjAWMRQwEgYDVQQDEwt3d3cuaWRwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo31q3mJZayXfZkLDuLcnanc/
KG+RDFW+OlYDP+RubvWnt8X5jtiUTcp8IQ46TNEUFskmsonUb5AnG
+zOCcawb2dJr8kBtCNhfi/
TufZGBQNjuAxNMi34yIgRdGinaznHgclrAIIZTyKerQqYjPL1xRDsFGpzqGGi/
2opzN8nV5kCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBmNwFN+98aybuQKFJFr69s9BvBVYtk
+Hsx3gx0g4e5sLTlkcSU03XZ8AOet0my4RvUspaDRzDrv+gEgg7gDP/
rsVCSs3dkuYuUvuWbiiTq/Hj4EKuKZa8nIerZ3Oz4Xa1/
bK88eT7RVsv5bMOxgJbSEvTidTvOpV0G13duIqyrCw==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0" ID="_32fcc662-
c4d4-448c-9726-72ba29088bb8" IssueInstant="2010-01-15T20:55:26Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Subject>
<saml:NameID>idp-user</saml:NameID>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="2010-01-15T20:55:26Z" />
<saml:AttributeStatement>
<saml:Attribute Name="Membership"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>Gold</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
==== end ====
Any ideas?
Thanks,
Matt
Olav Morken
> I'm testing a simpleSAMLphp SP against an IDP using ASP.NET (with a
> SAML component from ComponentSpace). After I login at the IDP and
> return to the SP, I get this error messge from simpleSAMLphp:
>
> Missing <saml:Issuer> in assertion.
[...]
> I'm probably missing something simple, but it looks like the
> SAMLResponse from the IDP has an Issuer element. Here's the XML from
> a test response:
> ==== start ====
> <samlp:Response ID="_fab3bb8e-ef59-496a-832b-182b6703c594"
> Version="2.0" IssueInstant="2010-01-15T20:55:26Z"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:
> 2.0:assertion">http://mrutherford2k3.airgroup.alaskaair.com/
> SAML2IdentityProvider/</saml:Issuer>
[...]
> <samlp:Status>
> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:
> 2.0:status:Success" />
> </samlp:Status>
> <saml:Assertion Version="2.0" ID="_32fcc662-
> c4d4-448c-9726-72ba29088bb8" IssueInstant="2010-01-15T20:55:26Z"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml:Subject>
> <saml:NameID>idp-user</saml:NameID>
> </saml:Subject>
> <saml:AuthnStatement AuthnInstant="2010-01-15T20:55:26Z" />
> <saml:AttributeStatement>
> <saml:Attribute Name="Membership"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> <saml:AttributeValue>Gold</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> </saml:Assertion>
> </samlp:Response>
> ==== end ====
>
> Any ideas?
You are missing the Issuer-element in the Assertion. The Issuer element
in the Assertion is required according to the specification (see [1],
line 600-605), which is why we throw an exception if it is missing.
If fixing the IdP software is not an option, you will need to change
the code in lib/SAML2/Assertion.php to not require the Issuer element.
Change:
$issuer = SAML2_Utils::xpQuery($xml, './saml_assertion:Issuer');
if (empty($issuer)) {
throw new Exception('Missing <saml:Issuer> in assertion.');
}
$this->issuer = trim($issuer[0]->textContent);
To:
$issuer = SAML2_Utils::xpQuery($xml, './saml_assertion:Issuer');
if (!empty($issuer)) {
$this->issuer = trim($issuer[0]->textContent);
}
[1] http://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf
--
Olav Morken