Our application is a SP and I have an IdP configured with NameIDFormat set to urn:oasis:names:tc:SAML:1.1:nameid-format:transient. In my SP initiated AuthnRequest, I see the following:
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:transient" AllowCreate="true" />
I then get a response of:
<Response ID="_554906bb392b47bdfa967c9fd8497bb6bdfe" InResponseTo="_9e133193-ba4f-49d1-85e0-c81f92568501" IssueInstant="2015-08-06T20:07:03Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"> <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxxxxxx</ns1:Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /> </StatusCode> <StatusMessage>The NameIDPolicy format agreement between SP and IdP is not met!</StatusMessage> </Status> </Response>
In an IdP initiated SSO, I do see <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_89ddd53655a08f4087259de945a947de9c91" IssueInstant="2015-08-06T19:28:34Z" Version="2.0"> <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> .... <ns2:Subject> <ns2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> ...
I believe the problem to be something on their end, or the fact that we should be using "entity" instead of "transient" for the NameID policy, in spite of them asking for us to use "transient".
Is that correct? Thanks!
|