Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
Learn More

Invalid SAML AuthnRequest ID

Avatar

Level 2
Level 2
9/9/16 3:17:54 AM

Hello,

Facing an issue with using of custom SAML 2 Identity Provider.

Specifically with SAML authentication request sent by AEM Mobile Cloud to the IdP. The request contains "ID" parameter which value sometimes does not fit XML grammar specification.

A sample request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                    xmlns:aemm="urn:adobe:aemm:entitlement:SAML:2.0:authentication"

                    Destination="[SAML IDP ENDPOINT]"

                    ID="05acc998-f1f9-413e-8c36-fb6ef85dcb45"

                    IssueInstant="2016-08-23T15:28:39Z"

                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                    Version="2.0">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://es.publish.adobe.com/</saml:Issuer>

    <samlp:Extensions>

        <aemm:Parameter name="AppVersion">3</aemm:Parameter>

        <aemm:Parameter name="AppId">viewer.web.4dcf9b2d-f3a3-488b-8e41-cafece7f5228</aemm:Parameter>

        <aemm:Parameter name="ProjectId">4dcf9b2d-f3a3-488b-8e41-cafece7f5228</aemm:Parameter>

        <aemm:Parameter name="UUID">ed28f99d-bb04-49a2-8422-54cce24db5ee</aemm:Parameter>

    </samlp:Extensions>

    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

</samlp:AuthnRequest>

The value is "05acc998-f1f9-413e-8c36-fb6ef85dcb45" but according to the specification (Extensible Markup Language (XML) 1.0 (Fourth Edition) ) it should start with a letter, "_" or ":".

As result, at least Microsoft ADFS throws exception complaining on this attribute. Additional details can be found at the Microsoft forum:

Intermittent MSIS0018 error when submitting a SAML authentication request to AD FS 2.0

For comparison, Experience Manager was successfully tied with this Identity Provider.

A sample request sent by Experience Manager:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                    Destination="[SAML IDP ENDPOINT]"

                    ID="_3de1087c-eec0-445d-9806-c862ba5494b6"

                    IssueInstant="2016-08-23T14:56:08Z"

                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                    Version="2.0">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[RESOURCE]</saml:Issuer>

    <samlp:NameIDPolicy AllowCreate="true"/>

</samlp:AuthnRequest>

Views

2.4K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
2 Replies

Avatar

Level 2
Level 2
9/20/16 4:46:57 PM

Thank you for bringing this to our attention. We have a fix ready that will be included in our next release. Sorry for the inconvenience this issue may have caused!

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/5/16 1:14:14 PM

Hello, the fix for this issue has been released!

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Unclear error "Invalid Version: Version 6.0.3" when adding android platform

Views

1.1K

Likes

0

Replies

1
Please add ability to delete/hide product/change product ID

Views

1.3K

Likes

0

Replies

0
Link Reference vs App Bundle ID

Views

1.1K

Likes

0

Replies

2
Exporting from ID 2015 to DPS 2015

Views

2.0K

Likes

2

Replies

6