OpenAM 5: AuthnRequest NameID strangeness

This topic contains 3 replies, has 3 voices, and was last updated by  rhamilton828 9 months, 2 weeks ago.

  • Author
  • #18837

    Hi. I have a hosted OpenAM-based IdP I am trying to connect to a remote SP via SAML 2.0. We are using SP-initiated SSO.

    The initial configuration seems to be okay; when I go to a protected page in the SP without an active SAML session, I am redirected to the hosted IdP login page, which in this case is the OpenAM login page for that realm. However when I trace the SAML messages even from this point, I find something very strange.

    In the SP metadata I have imported into my hosted IdP, there is the following line:

    This should be what is sent along with the AuthnRequest from the SP, correct? It is not. In the AuthnRequest, I see this instead:
    <NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

    Is there something on my end (the hosted IdP) that would trigger this? The only values listed in the NameID Format List for *both* the IdP and SP are urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

    The reason this is a problem is that when I successfully authenticate I get an error; the Tomcat error page I get only says “Unable to do Single Sign On or Federation”, but the debug logs say the following:

    libSAML2:09/11/2017 07:28:34:511 PM UTC: Thread[ajp-bio-8009-exec-9,5,main]: TransactionId[38485d31-dd21-4748-afc6-0f5ef4056212-9567]
    SAML2Utils.verifyNameIDFormat: NameIDFormat not supported by SP: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    libSAML2:09/11/2017 07:28:34:511 PM UTC: Thread[ajp-bio-8009-exec-9,5,main]: TransactionId[38485d31-dd21-4748-afc6-0f5ef4056212-9567]
    ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: Service provider does not support name identifier format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

    I mean, that makes sense, in theory at least (unless the SP is doing something strange, which I would have no way of knowing), the SP *doesn’t* support unspecified nameid-format. But where is it getting this from if the NameID Format List doesn’t contain that?

     Scott Heger 

    What is your remote SP? Is it another OpenAM instance or some other application? The AuthnRequest is created by the SP based on how it is configured on the SP itself. So something there is set to request a NameIDFormat of “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.

     Peter Major 

    Everything really depends on the SP. If the SP sends an AuthnRequest that requests unspecified NameID-Policy, then the SP must believe that it supports that NameID-Format.
    Don’t forget that the settings you have about the SP on the IdP side only reflects what the IdP knows about the SP, the IdP’s information may be outdated or incorrect altogether at times.


    My SP is a third-party application (Cornerstone OnDemand, if that means anything).

    Thanks for the clarification; I figured the unspecified NameIDFormat was originating from the SP (since that is where the AuthnRequest originates from) but wanted to be sure before contacting the maintainers of the SP.

    It has been a while since I attempted to configure this integration so it is entirely possible the metadata changed on the SP side without my knowledge.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?