EDR: ADFS/SSO authentication fails with StatusInvalidNameidPolicy
Article ID: 289716
Updated On: 10-08-2020
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- coreservices.log error
-
<err> cb.flask.blueprints.api_routes_saml - SSO assertion auth failure Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/cb/flask/blueprints/api_routes_saml.py", line 543, in saml_assertion File "/usr/lib/python2.6/site-packages/cb/flask/blueprints/api_routes_saml.py", line 187, in handle_assertion File "/usr/lib/python2.6/site-packages/saml2/client_base.py", line 576, in parse_authn_request_response binding, **kwargs) File "/usr/lib/python2.6/site-packages/saml2/entity.py", line 986, in _parse_response response = response.verify(key_file, decrypt=decrypt) File "/usr/lib/python2.6/site-packages/saml2/response.py", line 876, in verify res = self._verify() File "/usr/lib/python2.6/site-packages/saml2/response.py", line 392, in _verify assert self.status_ok() File "/usr/lib/python2.6/site-packages/saml2/response.py", line 354, in status_ok "%s from %s" % (msg, status.status_code.value,)) StatusInvalidNameidPolicy: urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy from urn:oasis:names:tc:SAML:2.0:status:Requester
-
Environment
- EDR (Formerly CB Response) Server: 6.x
- ADFS enabled for SSO
Cause
The nameIDPolicy is being sent over encrypted
Resolution
The nameIDPolicy must be sent in plain text :
- Within your ADFS server : Click Start
- Click Administrative Tools
- Click Windows PowerShell Modules
- At the Windows PowerShell command prompt, run:
set-ADFSRelyingPartyTrust –TargetName “target” –EncryptClaims $False
Feedback
Yes
No
Powered by
