Shibboleth Developers

[Chad La Joie <>]

Are you using the released snapshot as opposed to one you just built 
from source?

On 8/6/10 1:34 PM, Jim Fox wrote:
> I get a saml2 authn request without a nameid element. The idp always
> immediately rejects this with an InvalidNameIDPolicy error.
>
> This is 2.2.0-SNAPSHOT.
>
> In saml2/SSOProfileHandler.java, the checkNameIDPolicy method has:
>
> --------
> protected void checkNameIDPolicy(SSORequestContext requestContext)
> throws ProfileException {
> AuthnRequest request = requestContext.getInboundSAMLMessage();
> NameIDPolicy nameIdPolcy = request.getNameIDPolicy();
> String spNameQualifier = null;
> if (nameIdPolcy != null) {
> spNameQualifier =
> DatatypeHelper.safeTrimOrNullString(nameIdPolcy.getSPNameQualifier());
> if (spNameQualifier == null) {
> return;
> }
> }
>
> log.debug("Checking if message issuer is a member of affiliation '{}'",
> spNameQualifier);
> ...
> (which always reports invalid because spNameQualifier is necessarily null
> when nameIdPolicy is null.)
> --------
>
> Shouldn't there be something like
>
> if (nameIdPolcy == null) return;
>
>
> Maybe most SPs, like shib's does, always send a nameidpolicy element.
>
> Jim

--
Chad La Joie
http://itumi.biz
trusted identities, delivered