I'm setting up a single-sign-on (as service provider) via SimpleSAML. After importing the Metadata from the identity provider's XML, the first redirect worked.
However, the login fails with a sspmod_saml_Error: Requester/InvalidNameIDPolicy: An error occurred. and the identity provider (idp) tells me that the request should include
format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Instead of
format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
The only thing i found in the SimpleSAML manual refers to the idp configuration (manual). However, when I add this to the metadata/shib13-sp-remote.php an metadata/saml20-sp-remote.php …
$metadata['<same URL as in metadata/saml20-idp-remote.php>'] = array (
'NameIdFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
);
… then nothing changes. The request still contains:
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
This is not unexpected, as I am trying to configute the request to the idp, not to an sp. So, in sheer despair, I have also tried setting the NameIdPolicy to the same value, and I have also have tried the …-idp-remote.php files, but (as expected) that did not do the trick, either. And I also tried the ID of my service provider as key for $metadata, but … well.
Also tried a modification to metadata/saml20-ipd-hosted.php as described here, but that also did have no effect.
It's really fishing in the dark, the SimpleSAML documentation is missing some basic information (where, for example, to put these parameters)… So, I assume that I have the wrong file, the wrong key, or the wrong setting. Any hint is welcome. Thanks!
Best Answer
After search and searching, I found that this behavior is hard-coded in SimpleSAML in
modules/saml/lib/Message.phpChanging this did not solve the communication problem with the IdP ... so it's probably perfectly okay that it is this way.