EDR: SSO with ADFS fails - "InvalidNameIDPolicy from urn:oasis:names:tc:SAML:2.0:status:Requester"
Article ID: 289991
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- SSO integration with ADFS is not working
- /var/log/cb/coreservices/debug.log
2020-08-17 09:53:26 [2973] <err> saml2.client_base - SAML status error: urn:oasi s:names:tc:SAML:2.0:status:InvalidNameIDPolicy from urn:oasis:names:tc:SAML:2.0: status:Requester 2020-08-17 09:53:26 [2973] <err> cb.flask.blueprints.api_routes_saml - SSO assertion auth failure Traceback (most recent call last): File "/usr/share/cb/virtualenv/lib/python3.8/site-packages/cb/flask/blueprints /api_routes_saml.py", line 549, in saml_assertion File "/usr/share/cb/virtualenv/lib/python3.8/site-packages/cb/flask/blueprints /api_routes_saml.py", line 185, in handle_assertion File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/client_base .py", line 700, in parse_authn_request_response resp = self._parse_response(xmlstr, AuthnResponse, File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/entity.py", line 1172, in _parse_response response = response.verify(keys) File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/response.py ", line 1009, in verify res = self._verify() File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/response.py ", line 408, in _verify assert self.status_ok() File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/response.py ", line 369, in status_ok raise excep( saml2.response.StatusInvalidNameidPolicy: urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy from urn:oasis:names:tc:SAML:2.0:status:Requester
Environment
- EDR Server: All Versions
- ADFS configured for SSO
Cause
ADFS is not sending the nameIDPolicy
Resolution
Configure ADFS to include the nameIDPolicy in the response
Feedback
Yes
No
Powered by
