The NameIDPolicy format agreement between SP and IdP is not met!

book

Article ID: 140959

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running Federation Services as IdP and the request we recieve
from the SP side ends with the following message in the assertion :

    The NameIDPolicy format agreement between SP and IdP is not met!

FWSTrace.log

    [11/18/2019][17:37:33][51396][140057613305600][1f50f1b2-4105dcc2
    -98403720-092810ee-e1a9404e-58][SSO.java][processAssertionGenera
    tion][resource
    is:
    /SAMLRequest=nZLLTsMwEEXXIPUfBu9L82pJrLYS4qVIbanaCgk2yNiTEimxIeP
    w%2BHvchFDYdEGUzUyuzz2yMl4hvRhNCOnlhD2GkYqjIJGZEqQiJYeeJ1UmUMYyC
    kUQZyEOk4BB7%2FgIINXd4Y2ZsNvF1ez2Jl08Ks%2BdfX8KpT%2FCKIkDEWEShF7
    m%2BUk0FH4QD70RhqOzjLUUohpTTVZoO2GBS%2FV9v%2B%2FHG%2F%2BMh%2B6NH
    trcHVaUG%2B0ip167%2BSgLTRNWV5obQTlxLUokbiVfn89n3OX4S2WskaZg094xw
    FiTz5u%2BajfunmtTlcIehuw2uepnTZSjtrn9ZB2gkeAOfJghiLCyzr81AZjfp5f
    LRmqwt2ot11bYmr5z39OFUQh3oqjxcA81ab7C1xrJYtXV%2FReU6jdR5GrhvjtfU
    %2BTykw06tcEe%2Bdd2jkRiiz%2Fdm2eE3who7xLEtkIs3Y3CE9p3RA3rJQitIFV
    LyAm0sVCiPfnb95ve7dwwHnS%2F4%2FQL&RelayState=https%3A%2F%2Fmysp.
    mydomain.com%2Fsso%2F&SSOUrl=https%3A%2F%2Fmyidp.myotherdomain.c
    om%2Fmyidpssoservice

    <Response ID="_34d8429cfdasd4dc500cdfaec8c43a28f3e592" 
       InResponseTo="ONELOGIN_d0asdwb3c16e4982a4e9230f01945a128506e367f"
       IssueInstant="2019-11-18T17:37:34Z"
       Version="2.0"
       xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
      <ns1:Issuer
   Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
   xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">
 MYIDP
      </ns1:Issuer>
      <Status>
 <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
   <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
 </StatusCode>
 <StatusMessage>
   The NameIDPolicy format agreement between SP and IdP is not met!
 </StatusMessage>
      </Status>
    </Response>

 

Cause


In Policy Server code for processing the SAML 2.0 assertion, we expect

the NameID Format as :


  urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress


and not


  urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress


as we follow the standards for 2.0 SAML protocol :


    Assertions and Protocols for the OASIS Security Assertion Markup

    Language (SAML) V2.0


    8.3.2 Email Address


      URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress


      Indicates that the content of the element is in the form of an email

      address, specifically "addr-spec" as defined in IETF RFC 2822 [RFC

      2822] Section 3.4.1. An addr-spec has the form

      [email protected] Note that an addr-spec has no phrase (such as a

      common name) before it, has no comment (text surrounded in

      parentheses) after it, and is not surrounded by "<" and ">".


    https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf


    Is urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress a valid NameID format?


      I wanted to see if someone at OASIS can provide some more info

      and confirm what we discovered, so we can ask the IdP/SP to

      follow the standard ;)


    https://stackoverflow.com/questions/31709692/is-urnoasisnamestcsaml2-0nameid-formatemailaddress-a-valid-nameid-format



Environment

Release : 12.8.03

Component : SITEMINDER -POLICY SERVER

Resolution


Request the partner to send the assertion with the expected URI format

as per OASIS Standard :


  urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress


to solve this issue.