All geek questions in one place

Requester / InvalidNameIDPolicy error using SimpleSAMLPHP SP and ADFS IDP

After browsing all over the Internet, especially

I tried all the proposed changes in authsource.php and php metadata. Nothing succeeded.

Here is my authsource.php

'default-sp' => array( 'saml:SP', 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt', 'idp' => 'http://domain.com/adfs/services/trust',

I used XML to simpleSAMLphp metadata converter to create saml20-idp-remote.php

So when I access the page, SimpleSAMLPHP correctly redirects me to the IDP login page. I decoded the SAML request:

 <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4e03333c7aa76314d965e05f8fcdd3e1f4c5be96c8" Version="2.0" IssueInstant="2014-12-11T19:41:50Z" Destination="https://domain.com/adfs/ls/" AssertionConsumerServiceURL="https://sub.domain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> <saml:Issuer> https://su.bdomain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp </saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/> </samlp:AuthnRequest>

After logging in with a valid test account, I am redirected back to my site with an error.

 SimpleSAML_Error_Error: UNHANDLEDEXCEPTION Backtrace: 0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:179 (N/A) Caused by: sspmod_saml_Error: Requester/InvalidNameIDPolicy Backtrace: 3 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:385 (sspmod_saml_Message::getResponseError) 2 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:495 (sspmod_saml_Message::processResponse) 1 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/www/sp/saml2-acs.php:96 (require) 0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:134 (N/A)

I tried to set another NameIDPolicy, but none of them worked.

  //'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

Thanks!

+6
source share
2 answers

Yes. In a fit of anger and frustration. I set NameIDPolicy to zero and everything works. Fml

 'default-sp' => array( 'saml:SP', 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt', 'idp' => 'http://comain.com/adfs/services/trust', 'NameIDPolicy' => null,
+18
source

According to http://social.technet.microsoft.com/wiki/contents/articles/4038.ad-fs-2-0-how-to-request-a-specific-name-id-format-from-a-claims -provider-cp-during-saml-2-0-single-sign-on-sso.aspx you must use the default value of the unspecified 'NameIDPolicy' => 'urn: oasis: names: tc: SAML: 1.1: nameid-format : unspecified ',

+2
source

Source: https://habr.com/ru/post/979471/

More articles:


All Articles