Requester/InvalidNameIDPolicy Error with SimpleSAMLPHP SP and ADFS IDP

Question

After looking all over the Internet, particularly

• ADFS 2.0 InvalidNameIDPolcy
• Using SimpleSAMLphp to Authenticate against ADFS 2.0 IdP
• Requester/InvalidNameIDPolicy

I tried all the suggested modifications to authsource.php and metadata php. Nothing worked.

Here is my authsource.php

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'idp' => 'http://domain.com/adfs/services/trust',

I used the XML to simpleSAMLphp metadata converter to generate the saml20-idp-remote.php

So when I access the page, SimpleSAMLPHP correctly redirects me to the IDP login page. I decoded the SAML Request:

<samlp:AuthnRequest 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    ID="_4e03333c7aa76314d965e05f8fcdd3e1f4c5be96c8" 
    Version="2.0" 
    IssueInstant="2014-12-11T19:41:50Z" 
    Destination="https://domain.com/adfs/ls/" 
    AssertionConsumerServiceURL="https://sub.domain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

    <saml:Issuer>
        https://su.bdomain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
    </saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>

</samlp:AuthnRequest>

After logging in with a valid test account, I'm redirected back to my site with the error.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:179 (N/A)
Caused by: sspmod_saml_Error: Requester/InvalidNameIDPolicy
Backtrace:
3 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:385 (sspmod_saml_Message::getResponseError)
2 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/lib/Message.php:495 (sspmod_saml_Message::processResponse)
1 /var/www/html/igt_s3k/web/simplesamlphp/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /var/www/html/igt_s3k/web/simplesamlphp/www/module.php:134 (N/A)

I tried setting different NameIDPolicy but none of them worked.

    //'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
    //'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

Thanks!

Answer 1

As of SimpleSAML v1.15.0, setting the NameIDPolicy to NULL is not supported, and will result in an error.

If you do not set the NameIDPolicy, the SAML Request will default to: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, which can cause integration problems.

In order to not explictly send the NameIDPolicy in the auth request, apply the patch found here, and set the NameIDPolicy to false in the authsources.php config file.

'NameIDPolicy' => false