0

While configuring AWS SSO SAML 2.0 application by default it does not include and NameIdFormat and if we go with this default metadata for our Service Provider, Sustainsys/Saml2 giving error like below. Which configuration we can use to make it working without any defined NameIdFormat ?

MetaData provided by Identity Provider

Please note <md:NameIDFormat /> in metadata

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://portal.sso.us-east-2.amazonaws.com/saml/assertion/REMOVED_FOR_BREVITY">
   <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate>REMOVED_FOR_BREVITY</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-east-2.amazonaws.com/saml/logout/REMOVED_FOR_BREVITY" />
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-east-2.amazonaws.com/saml/logout/REMOVED_FOR_BREVITY" />
      <md:NameIDFormat />
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-east-2.amazonaws.com/saml/assertion/REMOVED_FOR_BREVITY" />
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-east-2.amazonaws.com/saml/assertion/REMOVED_FOR_BREVITY" />
   </md:IDPSSODescriptor>
</md:EntityDescriptor>

Error return by Sustainsys/Saml2

Sustainsys.Saml2.Metadata.MetadataSerializationException: NameIDFormat element with no uri
   at Sustainsys.Saml2.Metadata.MetadataSerializer.ReadNameIDFormat(XmlReader reader)
   at Sustainsys.Saml2.Metadata.MetadataSerializer.ReadSsoDescriptorElement(XmlReader reader, SsoDescriptor descriptor)
   at Sustainsys.Saml2.Metadata.MetadataSerializer.<>c__DisplayClass119_0.<ReadIdpSsoDescriptor>b__0()
   at Sustainsys.Saml2.Metadata.MetadataSerializer.ReadChildren(XmlReader reader, Func`1 childAction)
   at Sustainsys.Saml2.Metadata.MetadataSerializer.ReadIdpSsoDescriptor(XmlReader reader)
   at Sustainsys.Saml2.Metadata.MetadataSerializer.<>c__DisplayClass118_0.<ReadEntityDescriptor>b__0()
   at Sustainsys.Saml2.Metadata.MetadataSerializer.ReadChildren(XmlReader reader, Func`1 childAction)
   at Sustainsys.Saml2.Metadata.MetadataSerializer.ReadEntityDescriptor(XmlReader reader, SecurityTokenResolver tokenResolver)
   at Sustainsys.Saml2.Metadata.MetadataLoader.Load(XmlDictionaryReader reader)
   at Sustainsys.Saml2.Metadata.MetadataLoader.Load(String metadataLocation, IEnumerable`1 signingKeys, Boolean validateCertificate, String minIncomingSigningAlgorithm)
   at Sustainsys.Saml2.Metadata.MetadataLoader.LoadIdp(String metadataLocation, Boolean unpackEntitiesDescriptor)
   at Sustainsys.Saml2.IdentityProvider.DoLoadMetadata()
   at Sustainsys.Saml2.IdentityProvider.set_LoadMetadata(Boolean value)......
PradipB
  • 87
  • 1
  • 9
  • The NameIDFormat should have a URI in the metadata `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`. Use unspecified if there is no defined format. Refer https://stackoverflow.com/a/21682789/4018180 for more info. – Akshay G Aug 23 '21 at 08:59
  • Thanks, I agree with you it require URI, but this metadata file provided by IDP (Which does not include URI for NameIDFormat) Any way we can manage and handle at Sustainsys.Saml2 side? – PradipB Aug 24 '21 at 09:22
  • The source code of `Sustainsys.Saml2` has the validation. I am not completely sure if the URI can be skipped as per SAML-2.0. You can raise a ticket in github and see if you get any updates. https://github.com/Sustainsys/Saml2/blob/20990905ecdcf15f6f76fef80506d53831f7857b/Sustainsys.Saml2.Metadata/Serialization/MetadataSerializer.cs. – Akshay G Aug 24 '21 at 12:20

0 Answers0