Error urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy
2,193 views
Skip to first unread message
Simon Deconde
May 9, 2016, 9:18:16 PM5/9/16
to SimpleSAMLphp
Hi there
I can't figure out this issue... My set up seems to work well with some IdP but not others.
I've installed a SimpleSAMLphp Service Provider at the address https://auth.kanopystreaming.com/module.php/saml/sp/metadata.php/kanopy-sp?output=xhtml
I'm connecting to the following IdPs:
- https://idp.bournemouth.ac.uk/oala/metadata (works like a charm)
- https://shibbsrv1.gsa.ac.uk/idp/shibboleth (doesn't work at all)
In the second case, I'm getting a "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" => "Required NameID format not supported" in the SAML response. See full debug log attached to this post.
The tech guys in charge of the IdP "https://shibbsrv1.gsa.ac.uk/idp/shibboleth" are telling me that their set up is "standard", works with all other SPs and should work with my set up too... But clearly something's wrong!
Would anyone have any idea or suggestion to resolve this issue?
Thanks a lot for your help!
Simon
I've included the following files for your review:
- config.php
- authsources.php
- saml20-idp-remote.php
- full_debug_log.txt
Peter Schober
May 9, 2016, 9:33:09 PM5/9/16
to SimpleSAMLphp
* Simon Deconde <simon....@kanopy.com.au> [2016-05-10 03:18]:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent as NameID format,
and the error message from that IDP says it does not support that. Not
sure what part of that is unclear?
Maybe that IDP only supports the (legacy-ish, for SAML2.0)
eduPersonTargetedId attribute or neither of those. Properly
implemented Persistent NameIDs come with quite a bit of baggage, also
including areas outside of the SAML IDP itself, touching on
institutional/business processes at the instiutiton. So some/many SAML
IDPs don't support them.
I'm assuming you know about the properties of Persistent
NameIDs[1],[2] and you don't want to use anything else. Otherwise my
advise may sound a bit like "If it hurts, don't do it".
[1] cf. section 8.3.7 in SAML Core
[2] https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers
-peter
> I'm connecting to the following IdPs:
> - https://idp.bournemouth.ac.uk/oala/metadata (works like a charm)
> - https://shibbsrv1.gsa.ac.uk/idp/shibboleth (doesn't work at all)
>
> In the second case, I'm getting a
> "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" => "Required
> NameID format not supported" in the SAML response.
Well, your SP is requesting
> - https://idp.bournemouth.ac.uk/oala/metadata (works like a charm)
> - https://shibbsrv1.gsa.ac.uk/idp/shibboleth (doesn't work at all)
>
> In the second case, I'm getting a
> "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" => "Required
> NameID format not supported" in the SAML response.
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent as NameID format,
and the error message from that IDP says it does not support that. Not
sure what part of that is unclear?
Maybe that IDP only supports the (legacy-ish, for SAML2.0)
eduPersonTargetedId attribute or neither of those. Properly
implemented Persistent NameIDs come with quite a bit of baggage, also
including areas outside of the SAML IDP itself, touching on
institutional/business processes at the instiutiton. So some/many SAML
IDPs don't support them.
I'm assuming you know about the properties of Persistent
NameIDs[1],[2] and you don't want to use anything else. Otherwise my
advise may sound a bit like "If it hurts, don't do it".
[1] cf. section 8.3.7 in SAML Core
[2] https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers
-peter
Reply all
Reply to author
Forward
0 new messages