shibboleth-dev - [Shib-Dev] invalid InvalidNameIDPolicy
Subject: Shibboleth Developers
List archive
- From: Jim Fox <>
- To:
- Subject: [Shib-Dev] invalid InvalidNameIDPolicy
- Date: Fri, 6 Aug 2010 10:34:39 -0700 (PDT)
I get a saml2 authn request without a nameid element. The idp always immediately rejects this with an InvalidNameIDPolicy error.
This is 2.2.0-SNAPSHOT.
In saml2/SSOProfileHandler.java, the checkNameIDPolicy method has:
--------
protected void checkNameIDPolicy(SSORequestContext requestContext) throws
ProfileException {
AuthnRequest request = requestContext.getInboundSAMLMessage();
NameIDPolicy nameIdPolcy = request.getNameIDPolicy();
String spNameQualifier = null;
if (nameIdPolcy != null) {
spNameQualifier =
DatatypeHelper.safeTrimOrNullString(nameIdPolcy.getSPNameQualifier());
if (spNameQualifier == null) {
return;
}
}
log.debug("Checking if message issuer is a member of affiliation
'{}'", spNameQualifier);
...
(which always reports invalid because spNameQualifier is necessarily
null
when nameIdPolicy is null.)
--------
Shouldn't there be something like
if (nameIdPolcy == null) return;
Maybe most SPs, like shib's does, always send a nameidpolicy element.
Jim
- [Shib-Dev] invalid InvalidNameIDPolicy, Jim Fox, 08/06/2010
- RE: [Shib-Dev] invalid InvalidNameIDPolicy, Scott Cantor, 08/06/2010
- Re: [Shib-Dev] invalid InvalidNameIDPolicy, Chad La Joie, 08/06/2010
- Re: [Shib-Dev] invalid InvalidNameIDPolicy, Jim Fox, 08/06/2010
- Re: [Shib-Dev] invalid InvalidNameIDPolicy, Chad La Joie, 08/06/2010
- Re: [Shib-Dev] invalid InvalidNameIDPolicy, Jim Fox, 08/06/2010
Archive powered by MHonArc 2.6.16.