Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

Invalid SAML AuthnRequest ID

Avatar

Level 2

Hello,

Facing an issue with using of custom SAML 2 Identity Provider.

Specifically with SAML authentication request sent by AEM Mobile Cloud to the IdP. The request contains "ID" parameter which value sometimes does not fit XML grammar specification.

A sample request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                    xmlns:aemm="urn:adobe:aemm:entitlement:SAML:2.0:authentication"

                    Destination="[SAML IDP ENDPOINT]"

                    ID="05acc998-f1f9-413e-8c36-fb6ef85dcb45"

                    IssueInstant="2016-08-23T15:28:39Z"

                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                    Version="2.0">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://es.publish.adobe.com/</saml:Issuer>

    <samlp:Extensions>

        <aemm:Parameter name="AppVersion">3</aemm:Parameter>

        <aemm:Parameter name="AppId">viewer.web.4dcf9b2d-f3a3-488b-8e41-cafece7f5228</aemm:Parameter>

        <aemm:Parameter name="ProjectId">4dcf9b2d-f3a3-488b-8e41-cafece7f5228</aemm:Parameter>

        <aemm:Parameter name="UUID">ed28f99d-bb04-49a2-8422-54cce24db5ee</aemm:Parameter>

    </samlp:Extensions>

    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

</samlp:AuthnRequest>

The value is "05acc998-f1f9-413e-8c36-fb6ef85dcb45" but according to the specification (Extensible Markup Language (XML) 1.0 (Fourth Edition) ) it should start with a letter, "_" or ":".

As result, at least Microsoft ADFS throws exception complaining on this attribute. Additional details can be found at the Microsoft forum:

Intermittent MSIS0018 error when submitting a SAML authentication request to AD FS 2.0

For comparison, Experience Manager was successfully tied with this Identity Provider.

A sample request sent by Experience Manager:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                    Destination="[SAML IDP ENDPOINT]"

                    ID="_3de1087c-eec0-445d-9806-c862ba5494b6"

                    IssueInstant="2016-08-23T14:56:08Z"

                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                    Version="2.0">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[RESOURCE]</saml:Issuer>

    <samlp:NameIDPolicy AllowCreate="true"/>

</samlp:AuthnRequest>

2 Replies

Avatar

Level 2

Thank you for bringing this to our attention. We have a fix ready that will be included in our next release. Sorry for the inconvenience this issue may have caused!

Avatar

Level 2

Hello, the fix for this issue has been released!