identifierFormat: null causes AD FS error on metadata importing

[ahavriluk]

When identifierFormat: null the passport-saml generated metadata with a tag <NameIDFormat/> which causes an error in AD FS: The value 'NameIDFormat' must be an absolute URI.
Setting the identifierFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified allows importing the metadata file successfully.

Suggestion: when identifierFormat is set to null, generate urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

[cratermoon]

I found that this had been previously reported in #234 but was closed without noting that ADFS at least will reject the empty tag. The SAML 2.0 Core spec at 2.2.2 Complex Type NameIDType defines the element. I'm not an XML schema expert but I don't think an empty element is permitted for this type.

[ahavriluk]

Issue #1: When SAML Request is built, identifierFormat = null should not default to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. According to the spec the default value is urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified
Source: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
I realize changing the lib's default would cause a bunch of issues. So it is a breaking change.

Issue #2: When metadata is generated (generateServiceProviderMetadata method), the statement
metadata.EntityDescriptor.SPSSODescriptor.NameIDFormat = this.options.identifierFormat; line 1221 in saml.js should be wrapped in if:

if (this.options.indentifierFormat) {
     metadata.EntityDescriptor.SPSSODescriptor.NameIDFormat = this.options.identifierFormat;
}

[ahavriluk]

@markstos, I have a pull request ready for review regarding issue #2 (metadata generation). I need permissions to push.

[markstos]

@ahavriluk You mean you have a pull request ready on your local machine? Just push it your own Github account, which already have permission to push to. If you cloned this project, you may need to set up a second remote for your account. Review Github documentation on creating pull requests.

[bjm88]

Thanks, I adjusted this and got past that AD FS import error. On invoking the init to do the SamlRequest POST ADFS is giving an error though:

The relying party "https://example.com/saml/consume" is not configured with SAML Assertion Consumer Services
Relying party: https://example.com/saml/consume

This request Failed.

User Action
Use the AD FS Management snap-in to configure one or more Assertion Consumer Services for this relying party.

Any idea how to resolve this? I was not sure with this library how to generate assertions/claims in the AuthRequest or setup and convey to IDP that we want to get a set of attributes back like email... ?

How to use this: "attributeConsumingServiceIndex" . ? (I just put it to "1" and it didn't help.

[ahavriluk]

Did you setup Relying Party end points in ADFS?

[markstos]

This was merged in #375 Closing.