Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Invalid SAML AuthnRequest ID

Avatar

Avatar
Validate 1
Level 1
o_neal
Level 1

Likes

3 likes

Total Posts

6 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Applaud 5
View profile

Avatar
Validate 1
Level 1
o_neal
Level 1

Likes

3 likes

Total Posts

6 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Applaud 5
View profile
o_neal
Level 1

09-09-2016

Hello,

Facing an issue with using of custom SAML 2 Identity Provider.

Specifically with SAML authentication request sent by AEM Mobile Cloud to the IdP. The request contains "ID" parameter which value sometimes does not fit XML grammar specification.

A sample request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                    xmlns:aemm="urn:adobe:aemm:entitlement:SAML:2.0:authentication"

                    Destination="[SAML IDP ENDPOINT]"

                    ID="05acc998-f1f9-413e-8c36-fb6ef85dcb45"

                    IssueInstant="2016-08-23T15:28:39Z"

                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                    Version="2.0">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://es.publish.adobe.com/</saml:Issuer>

    <samlp:Extensions>

        <aemm:Parameter name="AppVersion">3</aemm:Parameter>

        <aemm:Parameter name="AppId">viewer.web.4dcf9b2d-f3a3-488b-8e41-cafece7f5228</aemm:Parameter>

        <aemm:Parameter name="ProjectId">4dcf9b2d-f3a3-488b-8e41-cafece7f5228</aemm:Parameter>

        <aemm:Parameter name="UUID">ed28f99d-bb04-49a2-8422-54cce24db5ee</aemm:Parameter>

    </samlp:Extensions>

    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

</samlp:AuthnRequest>

The value is "05acc998-f1f9-413e-8c36-fb6ef85dcb45" but according to the specification (Extensible Markup Language (XML) 1.0 (Fourth Edition) ) it should start with a letter, "_" or ":".

As result, at least Microsoft ADFS throws exception complaining on this attribute. Additional details can be found at the Microsoft forum:

Intermittent MSIS0018 error when submitting a SAML authentication request to AD FS 2.0

For comparison, Experience Manager was successfully tied with this Identity Provider.

A sample request sent by Experience Manager:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                    Destination="[SAML IDP ENDPOINT]"

                    ID="_3de1087c-eec0-445d-9806-c862ba5494b6"

                    IssueInstant="2016-08-23T14:56:08Z"

                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                    Version="2.0">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[RESOURCE]</saml:Issuer>

    <samlp:NameIDPolicy AllowCreate="true"/>

</samlp:AuthnRequest>

Replies

Avatar

Avatar
Boost 1
Level 1
Christine_Le
Level 1

Likes

2 likes

Total Posts

5 posts

Correct Reply

1 solution
Top badges earned
Boost 1
Affirm 1
View profile

Avatar
Boost 1
Level 1
Christine_Le
Level 1

Likes

2 likes

Total Posts

5 posts

Correct Reply

1 solution
Top badges earned
Boost 1
Affirm 1
View profile
Christine_Le
Level 1

20-09-2016

Thank you for bringing this to our attention. We have a fix ready that will be included in our next release. Sorry for the inconvenience this issue may have caused!

Avatar

Avatar
Boost 1
Level 1
Christine_Le
Level 1

Likes

2 likes

Total Posts

5 posts

Correct Reply

1 solution
Top badges earned
Boost 1
Affirm 1
View profile

Avatar
Boost 1
Level 1
Christine_Le
Level 1

Likes

2 likes

Total Posts

5 posts

Correct Reply

1 solution
Top badges earned
Boost 1
Affirm 1
View profile
Christine_Le
Level 1

05-10-2016

Hello, the fix for this issue has been released!