InvalidNameIDPolicy from IDP made sp.parseLoginResponse throw

[marwej]

I got this in a response from IdP (AD FS):

  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
    </samlp:StatusCode>
  </samlp:Status>

It took me a long time to realize because const parseResult = await sp.parseLoginResponse(idp, 'post', req); threw an error ERR_EMPTY_ASSERTION (https://github.com/tngan/samlify/blob/master/src/flow.ts#L36).

Would it be possible to return a parsed response in these cases too (with correct status code)?

[tngan]

Sorry, it was accidentally closed.

[offboarded-x233534]

I got the exact same error from our AD.

Is there a way to define "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" as NameIDPolicy on the SP side when generating the metadata.xml completely by NodeJS?
There seems to be no parameter to do so.
Once our Admin configured it to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" on the IdP (AD) side it worked.

[tngan]

@csgruenebe https://samlify.js.org/#/sp-configuration

Do you mean the nameIDFormat ?

[offboarded-x233534]

@tngan ah sorry, did not see it was an array :) so it is already there :)
UPDATE: It seems to be missing in the export interface ServiceProviderSettings { TypeScript interface :(

[tngan]

@csgruenebe Can you help to open another ticket ? Then we can continue the discussion.

UPDATE: That one is for metadata declaration, but you can pass loginNameIDFormat in setting instead. I will combine them together in the coming fix. Theoretically, SP can be configured to have multiple name id, I will make loginNameIDFormat to always take the first one from that given list of formats by default.

[tngan]

@csgruenebe Let's continue the discussion on #284. This ticket is left for the enhancement of handling status code (failure) inside samlify.

[tngan]

@marwej v2.5.1 is released to npm.

The following test covers this use case.

samlify/test/flow.ts

Lines 655 to 661 in 846ab75

	test('should throw two-tiers code error when the response does not return success status', async t => {
	const failedResponse: string = String(readFileSync('./test/misc/failed_response.xml'));
	try {
	const _result = await sp.parseLoginResponse(idpNoEncrypt, 'post', { body: { SAMLResponse: utility.base64Encode(failedResponse) } });
	} catch (e) {
	t.is(e.message, 'ERR_FAILED_STATUS with top tier code: urn:oasis:names:tc:SAML:2.0:status:Requester, second tier code: urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy');
	}

[marwej]

I have now started to get an empty statusCode in const { statusCode, nameID } = parseResult.extract; but the response from another IdP (Google) is success.

Tried to rollback to an earlier version but same error. Nothing to do with samlify then I guess.

Do you recognize this?

[tngan]

@marwej If the response is not succeeded, it will throw an error with the top and second tier error message before hit the line you have. The only case must be succeeded when you get the parseResult.

Can you show me the code how you construct the handler of SAML response ?

I have already removed the statusCode from the extractor though.

[marwej]

It is a successful result (not the one above).

<saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>

The code is basically this:

const parseResult = await sp.parseLoginResponse(idp, 'post', req);
if (!isPlainObject(parseResult.extract)) throw new Error('Could not parse SAML response');
const { statusCode, nameID } = parseResult.extract;
if (!isString(statusCode)) throw new Error('No status code');
if (statusCode !== STATUS_CODES.success) throw new Error('Non-successful response');

Could I just assume the respons is successful if parsing is ok then?

[tngan]

@marwej There is no statusCode anymore, you are not supposed to see that since i have removed it.

try {
  const parseResult = await sp.parseLoginResponse(idp, 'post', req);
  console.log(parseResult.extract); // if this line hits, indicating that the status is success
} catch (e) {
  console.error(e);
}

[marwej]

Roger that. Thanks for a great package!