Requester/InvalidNameIDPolicy Error with SimpleSAMLPHP SP and ADFS IDP

Question

After looking all over the Internet, particularly

• ADFS 2.0 InvalidNameIDPolcy
• Using SimpleSAMLphp to Authenticate against ADFS 2.0 IdP
• Requester/InvalidNameIDPolicy

I tried all the suggested modifications to authsource.php and metadata php. Nothing worked.

Here is my authsource.php

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'idp' => 'http://domain.com/adfs/services/trust',

I used the XML to simpleSAMLphp metadata converter to generate the saml20-idp-remote.php

So when I access the page, SimpleSAMLPHP correctly redirects me to the IDP login page. I decoded the SAML Request:

<samlp:AuthnRequest 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    ID="_4e03333c7aa76314d965e05f8fcdd3e1f4c5be96c8" 
    Version="2.0" 
    IssueInstant="2014-12-11T19:41:50Z" 
    Destination="https://domain.com/adfs/ls/" 
    AssertionConsumerServiceURL="https://sub.domain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

    <saml:Issuer>
        https://su.bdomain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
    </saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>

</samlp:AuthnRequest>

After logging in with a valid test account, I'm redirected back to my site with the error.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:179 (N/A)
Caused by: sspmod_saml_Error: Requester/InvalidNameIDPolicy
Backtrace:
3 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:385 (sspmod_saml_Message::getResponseError)
2 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:495 (sspmod_saml_Message::processResponse)
1 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:134 (N/A)

I tried setting different NameIDPolicy but none of them worked.

    //'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

Thanks!

Answer 1

According to http://social.technet.microsoft.com/wiki/contents/articles/4038.ad-fs-2-0-how-to-request-a-specific-name-id-format-from-a-claims-provider-cp-during-saml-2-0-single-sign-on-sso.aspx you should use the default value of unspecified 'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

Answer 2

As of SimpleSAML v1.15.0, the accepted answer is not supported, and setting the NameIDPolicy to null will result in an error.

If you do not set the NameIDPolicy, the SAML Request will default to: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, which can cause integration problems.

In order to not explictly send the NameIDPolicy in the auth request, apply the patch found here, and set the NameIDPolicy to false in the authsources.php config file.

'NameIDPolicy' => false

Answer 3

Yeah. In a fit of anger and frustration. I set NameIDPolicy to null and everything works. FML

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'idp' => 'http://comain.com/adfs/services/trust',
    'NameIDPolicy' => null,