September 11, 2017 at 10:00 pm #18837rhamilton828Participant
Hi. I have a hosted OpenAM-based IdP I am trying to connect to a remote SP via SAML 2.0. We are using SP-initiated SSO.
The initial configuration seems to be okay; when I go to a protected page in the SP without an active SAML session, I am redirected to the hosted IdP login page, which in this case is the OpenAM login page for that realm. However when I trace the SAML messages even from this point, I find something very strange.
In the SP metadata I have imported into my hosted IdP, there is the following line:
This should be what is sent along with the AuthnRequest from the SP, correct? It is not. In the AuthnRequest, I see this instead:
Is there something on my end (the hosted IdP) that would trigger this? The only values listed in the NameID Format List for *both* the IdP and SP are urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
The reason this is a problem is that when I successfully authenticate I get an error; the Tomcat error page I get only says “Unable to do Single Sign On or Federation”, but the debug logs say the following:
libSAML2:09/11/2017 07:28:34:511 PM UTC: Thread[ajp-bio-8009-exec-9,5,main]: TransactionId[38485d31-dd21-4748-afc6-0f5ef4056212-9567] SAML2Utils.verifyNameIDFormat: NameIDFormat not supported by SP: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified libSAML2:09/11/2017 07:28:34:511 PM UTC: Thread[ajp-bio-8009-exec-9,5,main]: TransactionId[38485d31-dd21-4748-afc6-0f5ef4056212-9567] ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Service provider does not support name identifier format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
I mean, that makes sense, in theory at least (unless the SP is doing something strange, which I would have no way of knowing), the SP *doesn’t* support unspecified nameid-format. But where is it getting this from if the NameID Format List doesn’t contain that?September 11, 2017 at 10:33 pm #18838Scott HegerParticipant
What is your remote SP? Is it another OpenAM instance or some other application? The AuthnRequest is created by the SP based on how it is configured on the SP itself. So something there is set to request a NameIDFormat of “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.September 11, 2017 at 10:35 pm #18839Peter MajorModerator
Everything really depends on the SP. If the SP sends an AuthnRequest that requests unspecified NameID-Policy, then the SP must believe that it supports that NameID-Format.
Don’t forget that the settings you have about the SP on the IdP side only reflects what the IdP knows about the SP, the IdP’s information may be outdated or incorrect altogether at times.September 11, 2017 at 10:41 pm #18840rhamilton828Participant
My SP is a third-party application (Cornerstone OnDemand, if that means anything).
Thanks for the clarification; I figured the unspecified NameIDFormat was originating from the SP (since that is where the AuthnRequest originates from) but wanted to be sure before contacting the maintainers of the SP.
It has been a while since I attempted to configure this integration so it is entirely possible the metadata changed on the SP side without my knowledge.
You must be logged in to reply to this topic.