Requester/InvalidNameIDPolicy Error with SimpleSAMLPHP SP and ADFS IDP

Question

After looking all over the Internet, particularly

I tried all the suggested modifications to authsource.php and metadata php. Nothing worked.

Here is my authsource.php

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'idp' => 'http://domain.com/adfs/services/trust',

I used the XML to simpleSAMLphp metadata converter to generate the saml20-idp-remote.php

So when I access the page, SimpleSAMLPHP correctly redirects me to the IDP login page. I decoded the SAML Request:

<samlp:AuthnRequest 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    ID="_4e03333c7aa76314d965e05f8fcdd3e1f4c5be96c8" 
    Version="2.0" 
    IssueInstant="2014-12-11T19:41:50Z" 
    Destination="https://domain.com/adfs/ls/" 
    AssertionConsumerServiceURL="https://sub.domain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

    <saml:Issuer>
        https://su.bdomain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
    </saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>

</samlp:AuthnRequest>

After logging in with a valid test account, I'm redirected back to my site with the error.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:179 (N/A)
Caused by: sspmod_saml_Error: Requester/InvalidNameIDPolicy
Backtrace:
3 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:385 (sspmod_saml_Message::getResponseError)
2 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:495 (sspmod_saml_Message::processResponse)
1 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:134 (N/A)

I tried setting different NameIDPolicy but none of them worked.

    //'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

Thanks!

I was getting a similar error for having 'store.type' => 'memcache', instead of phpsession — Asdrubal, Mar 09 '17 at 20:06

YarGnawh · Answer 1 · 2015-08-17T15:12:08.357

22

Yeah. In a fit of anger and frustration. I set NameIDPolicy to null and everything works. FML

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'idp' => 'http://comain.com/adfs/services/trust',
    'NameIDPolicy' => null,

edited Aug 17 '15 at 15:12

answered Dec 12 '14 at 20:00

YarGnawh

4,574
6
26
37

@YarGnawh You just saved me so much time and energy! Thank you so much! Works with Moodle/saml2 Auth plugin, if anyone is hitting the same spot I did. – Caperneoignis Apr 26 '16 at 18:26
1

Great thanks. This bug still exists in the latest simplesamlphp on github June 2016 – Phil Jun 23 '16 at 09:13
1

I am another one of those people you just saved a bunch of time - Thank you ! – Drace Apr 13 '17 at 18:34
First thing I Googled. I'm wondering how long I would have burnt on this – Nico Westerdale Nov 09 '17 at 06:49
According to https://github.com/simplesamlphp/simplesamlphp/issues/771#issuecomment-433412601 you should set it to `false` with modern SimpleSAML version. – Mikko Rantalainen Oct 13 '22 at 08:46

LisaLisa · Accepted Answer · 2023-01-23T16:57:36.010

11

As of SimpleSAML v1.15.0, setting the NameIDPolicy to NULL is not supported, and will result in an error.

If you do not set the NameIDPolicy, the SAML Request will default to: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, which can cause integration problems.

In order to not explictly send the NameIDPolicy in the auth request, apply the patch found here, and set the NameIDPolicy to false in the authsources.php config file.

'NameIDPolicy' => false

edited Jan 23 '23 at 16:57

answered Jul 17 '18 at 11:29

LisaLisa

411
1
7
18

After applying the patch in Message.php and setting the NameIDPolicy to FALSE worked for me, also we need to make sure we have a proper privatekey and certificate file for the signing – DEVARAJ JOHNSON Aug 09 '18 at 10:21
3

this is the valid answer now – Milan Markovic Jul 02 '19 at 13:04
2

Just as a note: This option has to be set in the `config/authsources.php` within the configuration of your SP (see below https://stackoverflow.com/a/27451231/336311). – BurninLeo Nov 20 '19 at 08:50
Thanks @BurninLeo - I have edited the answer to add that information too. – LisaLisa Nov 21 '19 at 11:00

score 8 · Answer 3 · answered Apr 26 '15 at 13:48

8

According to http://social.technet.microsoft.com/wiki/contents/articles/4038.ad-fs-2-0-how-to-request-a-specific-name-id-format-from-a-claims-provider-cp-during-saml-2-0-single-sign-on-sso.aspx you should use the default value of unspecified 'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

answered Apr 26 '15 at 13:48

John Newbigin

81
1
1

After adding 'unspecified' as suggested here, once I got the attributes response i could see it said the NameId had `Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` So I just added this as the new NameIdPolicy (i.e. .....:emailAddress) and it is working now – Sami El Maameri Feb 19 '19 at 10:23

Requester/InvalidNameIDPolicy Error with SimpleSAMLPHP SP and ADFS IDP

3 Answers3