Requester/InvalidNameIDPolicy Error with SimpleSAMLPHP SP and ADFS IDP

php saml adfs2.0 simplesamlphp
YarGnawh picture YarGnawh · Dec 11, 2014 · Viewed 13.2k times · Source

After looking all over the Internet, particularly

I tried all the suggested modifications to authsource.php and metadata php. Nothing worked.

Here is my authsource.php

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'idp' => 'http://domain.com/adfs/services/trust',

I used the XML to simpleSAMLphp metadata converter to generate the saml20-idp-remote.php

So when I access the page, SimpleSAMLPHP correctly redirects me to the IDP login page. I decoded the SAML Request:

<samlp:AuthnRequest 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    ID="_4e03333c7aa76314d965e05f8fcdd3e1f4c5be96c8" 
    Version="2.0" 
    IssueInstant="2014-12-11T19:41:50Z" 
    Destination="https://domain.com/adfs/ls/" 
    AssertionConsumerServiceURL="https://sub.domain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

    <saml:Issuer>
        https://su.bdomain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
    </saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>

</samlp:AuthnRequest>

After logging in with a valid test account, I'm redirected back to my site with the error.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:179 (N/A)
Caused by: sspmod_saml_Error: Requester/InvalidNameIDPolicy
Backtrace:
3 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:385 (sspmod_saml_Message::getResponseError)
2 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:495 (sspmod_saml_Message::processResponse)
1 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:134 (N/A)

I tried setting different NameIDPolicy but none of them worked.

    //'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

Thanks!

Answer

YarGnawh picture YarGnawh · Dec 12, 2014

Yeah. In a fit of anger and frustration. I set NameIDPolicy to null and everything works. FML

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'idp' => 'http://comain.com/adfs/services/trust',
    'NameIDPolicy' => null,

Related questions

Getting Started with SAML and PHP

I'm beginning work on adding SAML SSO support to a project and am looking for any helpful resources specifically geared towards PHP. I understand the basic concepts and have poked around for any libraries that could help but have come …

Read More
How to decode SAML Response and get the attribute values sent by Idp in PHP

I am implementing SAML Single Sign-On and using idp initiated method for login request. After login it redirect users on the login url defined on the request with the base64 encoded SAML Response. Now, I have extract to this response, …

Read More
What do I need to know about XML Signatures to get SAML working?

At work we have a web app that we'll need to interface with another company's web app using Single Sign On validated by SAML. Our web apps are written in PHP, and it's obviously irrelevant what language choice the other …

Read More