1

I've configured an app on the adfs relying party trusts, so I can login using adfs/sso. After that i'va installed simplesamlphp to deal with that login, and process the response saml.

this is my authsources config:

'myauth' => array( 
    'saml:SP', 
    'idp' => 'http://domain/adfs/services/trust', 
    'privatekey' => 'saml.key', 
    'certificate' => 'saml.crt', 
),

but after the login, on the return post i get the following error:

Exception during login: sspmod_saml_Error: Requester/InvalidNameIDPolicy Backtrace: 3 /home/......../adfs/simplesamlphp/modules/saml/lib/Message.php:376 (sspmod_saml_Message::getResponseError) 2 /home/......../adfs/simplesamlphp/modules/saml/lib/Message.php:503 (sspmod_saml_Message::processResponse) 1 /home/......../adfs/simplesamlphp/modules/saml/www/sp/saml2-acs.php:81 (require) 0 /home/......../adfs/simplesamlphp/www/module.php:135 (N/A)

Am i missing something? How can i get that name id policy? Where to define it?

Thanks

MGP
  • 653
  • 1
  • 14
  • 33

1 Answers1

3

simplesamlphp normally uses UPN or email as the NameID. You need to check in the config.

So in ADFS, create two claims rules:

One to create the claim (either UPN or email) - the normal LDAP one.

And a Transform that takes the above and transforms to a NameId claim with a type of "transient".

Again, simplesamlphp may not be using transient - you need to check in the config.

Update:

Assume UPN:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • This is my rule, atm: `c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,userPrincipalName;{0}", param = c.Value);` But now i get an sspmod_saml_Error: Responder/RequestDenied – MGP Nov 07 '13 at 11:20
  • and i've added this line to the simplesamlphp service: `'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',` – MGP Nov 07 '13 at 11:43
  • @nzpcmad when you say "need to check the config", where do you mean? Do you mean the value set for NameIDPolicy in the 'authsources.php' file for the SP? – Craig Constantine Jul 25 '14 at 19:52
  • Yes - so it looks like you've configured simpleSAMLphp to expect transient. But the rule above doesn't pass NameID - just email and UPN. You still need the transform. – rbrayb Jul 26 '14 at 02:44
  • I'm running into the same issue. here's my authsource.php ```'default-sp' => array( 'saml:SP', 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt', 'idp' => 'http://domain.com/adfs/services/trust', 'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',``` And the IDP is set to use emailAddress as the NameID. – YarGnawh Dec 11 '14 at 18:55
  • This worked for me. I chose UPN along with other items I wanted, in one claim. Then I created a second custom claim and used the second rule you provided, and everything worked great. Thanks. – James Jul 30 '15 at 16:12