Caused by: org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration

By: Jay Brubin user 19 May 2016 at 9:59 a.m. CDT

3 Responses
Jay Brubin gravatar
we changed the attribute-resolver.xml to add the subject name id and still get issues with spring saml sample SP exception: Caused by: org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration > <?xml version="1.0" encoding="UTF-8"?> <resolver:AttributeResolver xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd"> <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> </resolver:AttributeDefinition> <!-- Name Identifier related attributes --> <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId"> <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <!-- Example Static Connector --> <!-- LDAP Connector --> <resolver:DataConnector id="siteLDAP" xsi:type="dc:LDAPDirectory" ldapURL="ldaps://localhost:1636" baseDN="o=gluu" principal="cn=Directory Manager" principalCredential="uxOEsWpJHwou"> <dc:FilterTemplate> <![CDATA[ (|(uid=$requestContext.principalName)(mail=$requestContext.principalName)) ]]> </dc:FilterTemplate> </resolver:DataConnector> <!--resolver:DataConnector xsi:type="dc:ComputedId" id="computedID" generatedAttributeID="computedID" sourceAttributeID="uid" salt="ufujAWGSuzbCtRRcMYpnCujW0r8+55jE8Ez64AO7NV1"> <resolver:Dependency ref="siteLDAP" /> </resolver:DataConnector--> <!-- ========================================== --> <!-- Principal Connectors --> <!-- ========================================== --> <resolver:PrincipalConnector xsi:type="pc:Transient" id="shibTransient" nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier" /> <resolver:PrincipalConnector xsi:type="pc:Transient" id="saml1Unspec" nameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> <resolver:PrincipalConnector xsi:type="pc:Transient" id="saml2Transient" nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </resolver:AttributeResolver>
closed

Answers

By Aliaksandr Samuseu staff 19 May 2016 at 11:33 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Jay. Please note you must change not .conf files, but .conf.vm templates that are in `/opt/tomcat/conf/shibboleth2/idp/` If you'll change just conf file, it will be overwritten soon by an old one, generated from the template. Regards, Alex.

By Michael Schwartz Account Admin 19 May 2016 at 1:51 p.m. CDT

Copy
Michael Schwartz gravatar
Did you see the [Outbound SAML Docs](https://gluu.org/docs/integrate/outbound-saml/)? Why did you try to edit the XML directly?

By Aliaksandr Samuseu staff 20 May 2016 at 8:19 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Jay. Do we need to keep this ticket open?

Post an answer