EDR: ADFS/SSO authentication fails with StatusInvalidNameidPolicy
search cancel

EDR: ADFS/SSO authentication fails with StatusInvalidNameidPolicy

book

Article ID: 289716

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • coreservices.log error 
    • <err> cb.flask.blueprints.api_routes_saml - SSO assertion auth failure 
Traceback (most recent call last): 
File "/usr/lib/python2.6/site-packages/cb/flask/blueprints/api_routes_saml.py", line 543, in saml_assertion 
File "/usr/lib/python2.6/site-packages/cb/flask/blueprints/api_routes_saml.py", line 187, in handle_assertion 
File "/usr/lib/python2.6/site-packages/saml2/client_base.py", line 576, in parse_authn_request_response 
binding, **kwargs) 
File "/usr/lib/python2.6/site-packages/saml2/entity.py", line 986, in _parse_response 
response = response.verify(key_file, decrypt=decrypt) 
File "/usr/lib/python2.6/site-packages/saml2/response.py", line 876, in verify 
res = self._verify() 
File "/usr/lib/python2.6/site-packages/saml2/response.py", line 392, in _verify 
assert self.status_ok() 
File "/usr/lib/python2.6/site-packages/saml2/response.py", line 354, in status_ok 
"%s from %s" % (msg, status.status_code.value,)) 
StatusInvalidNameidPolicy: urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy from urn:oasis:names:tc:SAML:2.0:status:Requester

Environment

  • EDR (Formerly CB Response) Server: 6.x
  • ADFS enabled for SSO

Cause

The nameIDPolicy is being sent over encrypted

Resolution

The nameIDPolicy must be sent in plain text : 
  • Within your ADFS server : Click Start
  • Click Administrative Tools
  • Click Windows PowerShell Modules
  • At the Windows PowerShell command prompt, run:
set-ADFSRelyingPartyTrust –TargetName “target” –EncryptClaims $False
 
    Powered by Wolken Software