Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] invalid InvalidNameIDPolicy

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] invalid InvalidNameIDPolicy


Chronological Thread 
  • From: Jim Fox <>
  • To: "" <>
  • Subject: Re: [Shib-Dev] invalid InvalidNameIDPolicy
  • Date: Fri, 6 Aug 2010 14:36:47 -0700 (PDT)


I'm running the released snapshot

shibboleth-identityprovider-2.2.0-20100616.121908-1-bin.tar.gz

but the code I examined is from the svn repository, the REL_2 branch.

Jim


On Fri, 6 Aug 2010, Chad La Joie wrote:

Date: Fri, 6 Aug 2010 14:17:15 -0700
From: Chad La Joie
<>
To:
""

<>
Reply-To:
""

<>
Subject: Re: [Shib-Dev] invalid InvalidNameIDPolicy

Are you using the released snapshot as opposed to one you just built
from source?

On 8/6/10 1:34 PM, Jim Fox wrote:

I get a saml2 authn request without a nameid element. The idp always
immediately rejects this with an InvalidNameIDPolicy error.

This is 2.2.0-SNAPSHOT.

In saml2/SSOProfileHandler.java, the checkNameIDPolicy method has:

--------
protected void checkNameIDPolicy(SSORequestContext requestContext)
throws ProfileException {
AuthnRequest request = requestContext.getInboundSAMLMessage();
NameIDPolicy nameIdPolcy = request.getNameIDPolicy();
String spNameQualifier = null;
if (nameIdPolcy != null) {
spNameQualifier =
DatatypeHelper.safeTrimOrNullString(nameIdPolcy.getSPNameQualifier());
if (spNameQualifier == null) {
return;
}
}

log.debug("Checking if message issuer is a member of affiliation '{}'",
spNameQualifier);
...
(which always reports invalid because spNameQualifier is necessarily null
when nameIdPolicy is null.)
--------

Shouldn't there be something like

if (nameIdPolcy == null) return;


Maybe most SPs, like shib's does, always send a nameidpolicy element.

Jim





--
Chad La Joie
http://itumi.biz
trusted identities, delivered




Archive powered by MHonArc 2.6.16.

Top of Page