Hello,
Facing an issue with using of custom SAML 2 Identity Provider.
Specifically with SAML authentication request sent by AEM Mobile Cloud to the IdP. The request contains "ID" parameter which value sometimes does not fit XML grammar specification.
A sample request:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:aemm="urn:adobe:aemm:entitlement:SAML:2.0:authentication"
Destination="[SAML IDP ENDPOINT]"
ID="05acc998-f1f9-413e-8c36-fb6ef85dcb45"
IssueInstant="2016-08-23T15:28:39Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://es.publish.adobe.com/</saml:Issuer>
<samlp:Extensions>
<aemm:Parameter name="AppVersion">3</aemm:Parameter>
<aemm:Parameter name="AppId">viewer.web.4dcf9b2d-f3a3-488b-8e41-cafece7f5228</aemm:Parameter>
<aemm:Parameter name="ProjectId">4dcf9b2d-f3a3-488b-8e41-cafece7f5228</aemm:Parameter>
<aemm:Parameter name="UUID">ed28f99d-bb04-49a2-8422-54cce24db5ee</aemm:Parameter>
</samlp:Extensions>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
The value is "05acc998-f1f9-413e-8c36-fb6ef85dcb45" but according to the specification (Extensible Markup Language (XML) 1.0 (Fourth Edition) ) it should start with a letter, "_" or ":".
As result, at least Microsoft ADFS throws exception complaining on this attribute. Additional details can be found at the Microsoft forum:
Intermittent MSIS0018 error when submitting a SAML authentication request to AD FS 2.0
For comparison, Experience Manager was successfully tied with this Identity Provider.
A sample request sent by Experience Manager:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="[SAML IDP ENDPOINT]"
ID="_3de1087c-eec0-445d-9806-c862ba5494b6"
IssueInstant="2016-08-23T14:56:08Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[RESOURCE]</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"/>
</samlp:AuthnRequest>
Thank you for bringing this to our attention. We have a fix ready that will be included in our next release. Sorry for the inconvenience this issue may have caused!
Hello, the fix for this issue has been released!