invalid nameidpolicy error

By: vikas goyal user 03 Jan 2019 at 2:40 a.m. CST

3 Responses
vikas goyal gravatar
Our application acts as as an SP and we are using GLUU version 3.13 as its IDP. same error occurs in version 3.14. We have added trust relationship in saml section as below and validated success. ``` <?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://2a405fb0.ngrok.io" ID="https___2a405fb0_ngrok_io"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://2a405fb0.ngrok.io/auth/saml/redirect"/> </SPSSODescriptor> </EntityDescriptor> ``` Now when I try to connect to gluu using passport-saml using this configuration, ``` { entryPoint:'https://glusaml.pomsgai.io/idp/profile/SAML2/Redirect/SSO', issuer: 'https://2a405fb0.ngrok.io/auth/saml/redirect', callbackUrl: 'https://2a405fb0.ngrok.io/auth/saml/redirect', issuer: 'https://2a405fb0.ngrok.io', identifierFormat: ' urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' } ``` Gluu redirects to https://2a405fb0.ngrok.io/auth/saml/redirect, I get ` Requestor error, Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>` I have also configured cutom name id using oxtrust ui as: ``` SourcrAtrribute:email, name:mail, NameidType:emailAddress ``` I have tried a lot, but the error still persists. Any help would be really appreciated.
Ubuntu 16.04
closed

Answers

By Michael Schwartz Account Admin 03 Jan 2019 at 3:25 a.m. CST

Copy
Michael Schwartz gravatar
How many of your customer's IDP's do you intend to configure? Is it just one? Or you expect many customers to use SAML for inbound authentication? Have you read the [Inbound SAML docs](https://gluu.org/docs/ce/3.1.4/authn-guide/inbound-saml-passport/) ? Please post more information about your exact use case.

By Aliaksandr Samuseu staff 03 Jan 2019 at 1:35 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Vikas. > I have also configured cutom name id using oxtrust ui It turns out this feature isn't working properly in 3.1.3 or 3.1.4. Please remove the entry you created in web UI, for now. If you need a custom nameid, you'll have to use manual approach as described in section "Configure NameID - Manual configuration" in [this doc](https://gluu.org/docs/ce/3.1.4/admin-guide/attribute/../saml/#manual-configuration). Also, please note that nameid generation in your instance may be affected by a known bug. Check [this post](https://support.gluu.org/single-sign-on/6263/attribute-not-being-passed-from-gluu-to-sp-via-the-saml-request/#at42086) by another user which explains how to fix it. Lastly, use browser's extensions like SAML Tracer or SAML Chrome Panel to capture the actual request issued by your SP, and shared it here. Keep in mind that the nameid's type specified in request will override the one specified in SP's metadata.

By Aliaksandr Samuseu staff 03 Jan 2019 at 1:43 p.m. CST

Copy
Aliaksandr Samuseu gravatar
I also agree with Michael - as of now, description of your setup is too ambiguous. It's not perfeclty clear what part of the issue constitute Passpport-SAML, and what part is contributed by Shibboleth IDP. 1. Please provide a diagram showing all involved entities/machines and interconnections between them. Use real hostnames/ip addresses in it as we'll need to correlated them with the HAR file metnioned below 2. Please share a HAR file with a capture of your failing flow. You can use steps listed [here](https://www.inflectra.com/support/knowledgebase/kb254.aspx) - please use Firefox for that task, Chrome's HARs are flawed. Also don't forget to set "Persist log" and "Disable cache" checkboxes in the console to save everything, not just the recently loaded page 3. Which of the mentioned applications does display this error you mentioned - "Requestor error, Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>"? Where does this error come from? An error page in browser, or some log? Please provide as much related log entries and screenshots as possible, so we could understand what's going on

Post an answer