SAML2 SSO fails with custom Service Provider (InvalidNameIDPolicy)

This topic has 0 replies, 1 voice, and was last updated 4 years, 2 months ago by floewe.

  • Author
    Posts
  • #22642
     floewe
    Participant

    Straight to the topic: I created a service provider with samlify which works with other Identity Providers but AM (as a Hosted Identity Provider) fails.

    I’ve basically got the same issue like this. The NameID formats match definitely. ’emailAddress’ seems to be required, otherwise it doesn’t matter if I allow all formats or just one of them. The error code remains.

    The following is the SP metadata (mustache.js template):

    
    <md:EntityDescriptor
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    entityID="{{proto}}://{{host}}:{{port}}/metadata"
    validUntil="{{validUntil}}">
      <md:SPSSODescriptor
      AuthnRequestsSigned="true"
      WantAssertionsSigned="true"
      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>
                {{signCert}}
              </ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>
                {{signCert}}
              </ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{proto}}://{{host}}:{{port}}/logged-out" />
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <!--<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>-->
        <!--<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>-->
        <md:AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{proto}}://{{host}}:{{port}}/assert" />
        <md:AttributeConsumingService isDefault="true" index="0">
          <md:ServiceName xml:lang="de">{{name}}</md:ServiceName>
          {{#description}}
          <md:ServiceDescription xml:lang="de">{{description}}</md:ServiceDescription>
          {{/description}}
          <md:RequestedAttribute FriendlyName="username" Name="urn:oid:0.9.2342.19200300.100.1.1"/>
          <md:RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3"/>
        </md:AttributeConsumingService>
      </md:SPSSODescriptor>
    </md:EntityDescriptor>
    

    And the corresponding AM logs showing the response:

    
    amSession:07/31/2018 02:07:57:064 PM CEST: Thread[http-nio-8080-exec-9,5,main]: TransactionId[c9f1c828-5835-4f13-a3ae-4e20c7b9f73a-91326]
    Local fetch SessionInfo for XT2JLjuVtVgt3nR7baPM_FDAwFM.*AAJTSQACMDEAAlNLABxaZUtCcXc1K1M0elE0YVVCbk1mc1NvbC9RMjQ9AAR0eXBlAANDVFMAAlMxAAA.*
    Reset: true
    amSession:07/31/2018 02:07:57:064 PM CEST: Thread[http-nio-8080-exec-9,5,main]: TransactionId[c9f1c828-5835-4f13-a3ae-4e20c7b9f73a-91326]
    XT2JLjuVtVgt3nR7baPM_FDAwFM.*AAJTSQACMDEAAlNLABxaZUtCcXc1K1M0elE0YVVCbk1mc1NvbC9RMjQ9AAR0eXBlAANDVFMAAlMxAAA.*: CtsOperations selected.
    libSAML2:07/31/2018 02:07:57:064 PM CEST: Thread[http-nio-8080-exec-9,5,main]: TransactionId[c9f1c828-5835-4f13-a3ae-4e20c7b9f73a-91326]
    IDPSSOUtil.sendResponseToACS: Doesn't set COT cookie.
    libSAML2:07/31/2018 02:07:57:064 PM CEST: Thread[http-nio-8080-exec-9,5,main]: TransactionId[c9f1c828-5835-4f13-a3ae-4e20c7b9f73a-91326]
    IDPSSOUtil.sendResponseToACS: Response is:  <samlp:Response ID="s22e2285f8e382980d6353d434e9e188e1c7cf1068" InResponseTo="_17513926-8fa8-4fb
    e-ae71-1c96e72c15e2" Version="2.0" IssueInstant="2018-07-31T12:07:56Z" Destination="http://{{SP}}/assert"><saml:Issuer>http:/
    /{{IDP}}/openam</saml:Issuer><samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy">
    </samlp:StatusCode>
    </samlp:StatusCode>
    <samlp:StatusMessage>
    Creation of NameID is not allowed per AuthnRequest.
    </samlp:StatusMessage>
    </samlp:Status></samlp:Response>
    libSAML2:07/31/2018 02:07:57:065 PM CEST: Thread[http-nio-8080-exec-9,5,main]: TransactionId[c9f1c828-5835-4f13-a3ae-4e20c7b9f73a-91326]
    IDPSSOUtil.sendResponseToACS: Invoking the IDP Adapter
    

    Any help would be appreciated and thank you in advance!

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?