ComponentSpace

Forums



Getting InvalidNameIDPolicy Response


Getting InvalidNameIDPolicy Response

Author
Message
dmarlow
dmarlow
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)

Group: Forum Members
Posts: 38, Visits: 175
Our application is a SP and I have an IdP configured with NameIDFormat set to urn:oasis:names:tc:SAML:1.1:nameid-format:transient. In my SP initiated AuthnRequest, I see the following:

<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:transient" AllowCreate="true" />

I then get a response of:

<Response ID="_554906bb392b47bdfa967c9fd8497bb6bdfe" InResponseTo="_9e133193-ba4f-49d1-85e0-c81f92568501" IssueInstant="2015-08-06T20:07:03Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
  <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxxxxxx</ns1:Issuer>
  <Status>
   <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
   </StatusCode>
   <StatusMessage>The NameIDPolicy format agreement between SP and IdP is not met!</StatusMessage>
  </Status>
</Response>

In an IdP initiated SSO, I do see
<ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_89ddd53655a08f4087259de945a947de9c91" IssueInstant="2015-08-06T19:28:34Z" Version="2.0">
    <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
    ....
    <ns2:Subject>
       <ns2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
       ...

I believe the problem to be something on their end, or the fact that we should be using "entity" instead of "transient" for the NameID policy, in spite of them asking for us to use "transient".

Is that correct? Thanks!
dmarlow
dmarlow
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)

Group: Forum Members
Posts: 38, Visits: 175
Please disregard. This was due to user error. Should not be using SAML 1.1 format. Should be 2.0.

urn:oasis:names:tc:SAML:1.1:nameid-format:transient

vs

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for letting us know.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search