We're running a Policy Server as IdP side, and when user initiates
from SP a transaction, Policy Server cannot handle the SAML request
and returns error :
[11:53:12][AssertionGenerator.java][ERROR][sm-FedServer-00080]
preProcess() returns fatal error.
<Response ID="_9f7b483c64f9e40a22bf702ee59431248870"
InResponseTo="_7391846a-a830-46e3-8610-ff7145098073_1142e754-fb7c-48c3-9d93-a490402366e9"
IssueInstant="2020-10-01T10:53:12Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">
myfedidp
</ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
<StatusMessage>
Configuration error.
</StatusMessage>
</Status>
</Response>
We've configured "NameID Format" as "Transient Identifier" as the SP
partner requested you.
But when configuring this, we got this warning in the AdminUI
browser :
Selected Name ID format is not supported by both the local and remote entities.
How can we fix this ?
Policy Server 12.8SP3 on RedHat 6
As per the OASIS standards, both sides should be configured the same
way. Thus the Transient Identifier should be configured on both side
and in both entities (local and remote) in your side.
Assertions and Protocols for the OASIS Security Assertion Markup
Language (SAML) V2.0
1.3.4 ID and ID Reference Values
The mechanism by which a SAML system entity ensures that the
identifier is unique is left to the implementation. In the case that
a random or pseudorandom technique is employed, the probability of
two randomly chosen identifiers being identical MUST be less than or
equal to 2
8.3.8 Transient Identifier
URI: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Indicates that the content of the element is an identifier with
transient semantics and SHOULD be treated as an opaque and temporary
value by the relying party. Transient identifier values MUST be
generated in accordance with the rules for SAML identifiers (see
Section 1.3.4), and MUST NOT exceed a length of 256 characters.
The NameQualifier and SPNameQualifier attributes MAY be used to
signify that the identifier represents a transient and temporary
pair-wise identifier. In such a case, they MAY be omitted in
accordance with the rules specified in Section 8.3.7.
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Name Identifier Profiles and Management in SAML 2.0
3.6 Transient Identifiers
SAML 2.0 shall provide a facility enabling a principals identity
to be reflected to relying parties anonymously (in effect), using
non-persistent identifiers. Identifiers of this type may be
obtained upon relying party request; additionally, principals may
designate that they are to be so represented to relying parties
within the scope of a session. This facility shall be applicable
independent of whether or not the principal has a federation
relationship between the SAML authentication authority and any of
the relying parties receiving assertions within the
session. Desirably, it should be possible for a principal to
request and/or configure use of this facility at the granularity
of individual relying parties.
https://www.oasis-open.org/committees/download.php/4587
At first glance, it seems that the message you get when configuring
the Partnership comes from the fact one of both IDP and SP entities
doesn't have the Transient Identifier configured.
According to the code, the both IdP and SP Entities should have
"Transient Identifier".
SAML Local IDP
Supported Name ID Formats and Attributes
Transient Identifier
SAML 2.0 Remote SP
Supported Name ID Formats
Transient Identifier
To solve the issue, make sure that both IdP and SP entities have
Transient Identifier selected :
SAML Local IDP
Supported Name ID Formats and Attributes
Transient Identifier
SAML 2.0 Remote SP
Supported Name ID Formats
Transient Identifier