Shibboleth Developers

[Chad La Joie <>]

Yes, I see it now.  Fixed.

On 8/6/10 5:36 PM, Jim Fox wrote:
> I'm running the released snapshot
>
> shibboleth-identityprovider-2.2.0-20100616.121908-1-bin.tar.gz
>
> but the code I examined is from the svn repository, the REL_2 branch.
>
> Jim
>
>
> On Fri, 6 Aug 2010, Chad La Joie wrote:
>
> > Date: Fri, 6 Aug 2010 14:17:15 -0700
> > From: Chad La Joie 
> > <>
> > To: 
> > ""
> >  
> > <>
> > Reply-To: 
> > ""
> >  
> > <>
> > Subject: Re: [Shib-Dev] invalid InvalidNameIDPolicy
> >
> > Are you using the released snapshot as opposed to one you just built
> > from source?
> >
> > On 8/6/10 1:34 PM, Jim Fox wrote:
> > > I get a saml2 authn request without a nameid element. The idp always
> > > immediately rejects this with an InvalidNameIDPolicy error.
> > >
> > > This is 2.2.0-SNAPSHOT.
> > >
> > > In saml2/SSOProfileHandler.java, the checkNameIDPolicy method has:
> > >
> > > --------
> > > protected void checkNameIDPolicy(SSORequestContext requestContext)
> > > throws ProfileException {
> > > AuthnRequest request = requestContext.getInboundSAMLMessage();
> > > NameIDPolicy nameIdPolcy = request.getNameIDPolicy();
> > > String spNameQualifier = null;
> > > if (nameIdPolcy != null) {
> > > spNameQualifier =
> > > DatatypeHelper.safeTrimOrNullString(nameIdPolcy.getSPNameQualifier());
> > > if (spNameQualifier == null) {
> > > return;
> > > }
> > > }
> > >
> > > log.debug("Checking if message issuer is a member of affiliation '{}'",
> > > spNameQualifier);
> > > ...
> > > (which always reports invalid because spNameQualifier is necessarily
> > > null
> > > when nameIdPolicy is null.)
> > > --------
> > >
> > > Shouldn't there be something like
> > >
> > > if (nameIdPolcy == null) return;
> > >
> > >
> > > Maybe most SPs, like shib's does, always send a nameidpolicy element.
> > >
> > > Jim
> >
> > --
> > Chad La Joie
> > http://itumi.biz
> > trusted identities, delivered

--
Chad La Joie
http://itumi.biz
trusted identities, delivered