SAML: NameID-Format error

james2 · March 21, 2018, 2:11pm

Hi
I’m trying to get SAML working but am having a few issues. I’ve been advised by our federation services team that the nameid-format should be set to unspecified.

The error I’m getting is:

SAML SSO failed: invalid_response. Last Reason: The status code of the Response was not Success, was Requester -> Cannot provide requested name identifier with format urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified for the given subject

With name format.
‘NameIDFormat’ => ‘urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified’,

I’m unsure where to go or what to check next for troubleshooting as I’m new to SAML.

Any suggestions gratefully received.

james2 · March 22, 2018, 10:15am

I’ve now been able to move beyond this issue but am now getting x509 certificate errors:

SAML SSO failed: invalid_response. Last Reason: openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! Exception Type: OneLogin_Saml2_Error

The idp is not showing any errors and I can’t find anything on the web related to this error.

alex · March 22, 2018, 10:46am

Have you copied the signing certificate in to the correct place in the settings-custom.php or settings.php file. It should be all on one line, and should not have the --- BEGIN CERTIFICATE --- etc lines.

See:
https://community.xibo.org.uk/t/saml-single-signon-with-active-directory-adfs/13735

james2 · March 22, 2018, 11:07am

Hi Alex,

Thanks for the thoughts.

I believe I’ve already done the things you suggest, my settings.php file looks like this:

// Additional Middleware
// $middleware = ;
$authentication = new \Xibo\Middleware\SAMLAuthentication();

$samlSettings = array (
‘workflow’ => array(
// Enable/Disable Just-In-Time provisioning
‘jit’ => true,
// Attribute to identify the user
//‘field_to_identify’ => ‘UserName’, // Alternatives: UserID, UserName or email
‘field_to_identify’ => ‘UserName’, // Alternatives: UserID, UserName or email
// Default libraryQuota assigned to the created user by JIT
‘libraryQuota’ => 1000,
// Initial User Group
‘group’ => ‘Users’,
// Home Page
‘homePage’ => ‘dashboard’,
// Enable/Disable Single Logout
‘slo’ => true,
// Attribute mapping between XIBO-CMS and the IdP
‘mapping’ => array (
‘UserID’ => ‘’,
‘usertypeid’ => ‘’,
‘UserName’ => ‘UserName’,
‘email’ => ‘email’,
‘ref1’ => ‘’,
‘ref2’ => ‘’,
‘ref3’ => ‘’,
‘ref4’ => ‘’,
‘ref5’ => ‘’
)
),
// Settings for the PHP-SAML toolkit.
// See documentation: GitHub - SAML-Toolkits/php-saml: Simple SAML toolkit for PHP
‘strict’ => false,
‘debug’ => true,
‘idp’ => array (
‘entityId’ => ‘idp’,
‘singleSignOnService’ => array (
‘url’ => ‘[idp]’,
),
‘singleLogoutService’ => array (
‘url’ => ‘[idp]’,
),
‘x509cert’ => ‘IDP CERT’,
),
‘sp’ => array (
‘entityId’ => ‘url’,
‘assertionConsumerService’ => array (
‘url’ => 'url,
),
‘singleLogoutService’ => array (
‘url’ => ‘logouturl’,
),
‘NameIDFormat’ => ‘urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified’,
‘x509cert’ => ‘CERT HERE’,
‘privateKey’ => ‘KEY Here’,
),
‘security’ => array (
‘nameIdEncrypted’ => false,
‘authnRequestsSigned’ => false,
‘logoutRequestSigned’ => false,
‘logoutResponseSigned’ => false,
‘signMetadata’ => false,
‘wantMessagesSigned’ => false,
‘wantAssertionsSigned’ => false,
‘wantAssertionsEncrypted’ => false,
‘wantNameIdEncrypted’ => false,
)
);

The x509cert and private key were all on one line. I also put them in the onelogin certs folder as suggested by the onelogin docs, sp.key/sp.crt

I’m able to check the SAML response in the browser and the IDP appears to be providing the correct username.

alex · March 22, 2018, 11:30am

I’m not a SAML expert, but the error suggests that one of the certificates or keys isn’t in the format it’s expecting it to be. I’d go back and export the certificates again, ensuring they’re in X.509 format.

Lkabelo · April 25, 2019, 12:56pm

Hi, how did you get past this error, i’m getting the same error too.
NameID not found in the assertion of the Response.