Requester/InvalidNameIDPolicy Error with SimpleSAMLPHP SP and ADFS IDP

According to http://social.technet.microsoft.com/wiki/contents/articles/4038.ad-fs-2-0-how-to-request-a-specific-name-id-format-from-a-claims-provider-cp-during-saml-2-0-single-sign-on-sso.aspx you should use the default value of unspecified 'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

As of SimpleSAML v1.15.0, the accepted answer is not supported, and setting the NameIDPolicy to null will result in an error.

If you do not set the NameIDPolicy, the SAML Request will default to: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, which can cause integration problems.

In order to not explictly send the NameIDPolicy in the auth request, apply the patch found here, and set the NameIDPolicy to false in the authsources.php config file.

'NameIDPolicy' => false

Yeah. In a fit of anger and frustration. I set NameIDPolicy to null and everything works. FML

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'idp' => 'http://comain.com/adfs/services/trust',
    'NameIDPolicy' => null,

Requester/InvalidNameIDPolicy Error with SimpleSAMLPHP SP and ADFS IDP

Tags:

Php

Saml

Adfs2.0

Simplesamlphp

Related

Recent Posts