Hi all here!

After login with customer SSO service (Infrastructure Microsoft ADFS – SAML V.2) / OS Serveurs ADFS : Windows 2016 / Secure hash algorithm : SHA-256 ) I have an error:

RuntimeException encountered while processing SAML authentication response: Error(s) encountered during processing of ACS response. Type(s): invalid_response; reason given for last error: The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy in Drupal\samlauth\SamlService->acs() (line 176 of /var/www/html/docroot/modules/contrib/samlauth/src/SamlService.php).

Comments

Antonnavi created an issue. See original summary.

antonnavi’s picture

StatusFileSize
new425 bytes

Attached patch solves this issue.
Mb some UI to manage NameIDPolicy needed here?
(at list checkbox to be able set it TRUE/FALSE)

antonnavi’s picture

Status: Active » Needs review
antonnavi’s picture

StatusFileSize
new425 bytes
davidferlay’s picture

Status: Needs review » Reviewed & tested by the community

Tested OK !

nironan’s picture

I had the same problem with 7.x and decided to make the NameIdPolicy configurable (active by default). Patch attached

roderik’s picture

Patches for new functionality are appreceated - in any state of being finished. And I also appreciate that this patch made me think more about what the NameID related options really do, because I had not fully thought that through yet.

But you can help by keeping the issue status realistic. @davidferlay just a quick test is not enough to set an issue to RTBC status; it is for things that were actually reviewed and considered "probably in a good state to commit". That's much not the case with the issue you tested because it changed default functionality for other users, without any way to influence that functionality (UI).

I've added that UI into the D8 version myself, rather than setting this issue back to Needs Work, because it was time to think through some other issues / options in the UI, including the relation between this issue and #3086827: Add UI to set NameId not required. which was not clear to me.
As a result, I've split the 'security' options into two sections in a previous commit, changed some descriptions and default values, and opened #3131028: Advanced/security options UX / default values to store some thoughts.

I am/was also curious if people could not also have solved this by setting a different 'Name ID Format'. However, I don't think that is a reason to not include this option.

  • roderik committed 58d99f1 on 8.x-3.x
    Issue #3086441 by Antonnavi, nironan, roderik: add option to prevent...
roderik’s picture

Version: 8.x-3.x-dev » 7.x-1.x-dev
Status: Reviewed & tested by the community » Needs review

I guess this goes back to Needs Review for the 7.x version...

  • roderik committed 6640d0c on 7.x-1.x authored by nironan
    Issue #3086441 by Antonnavi, nironan, roderik: Invalid response, status...
roderik’s picture

Status: Needs review » Fixed

Thank you; committed now. (I suspect that this checkbox is a bit off in the 'Security' section, but that isn't a real issue. And the D8 version, while evolved a little bit, isn't done fixing up its NameID handling yet either.)

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.