Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NoAuthnContext #62

Closed
nathan-isaac opened this issue May 7, 2015 · 4 comments
Closed

NoAuthnContext #62

nathan-isaac opened this issue May 7, 2015 · 4 comments

Comments

@nathan-isaac
Copy link

I am not all that familiar with SAML so bare with me.

I just installed the https://github.com/aacotroneo/laravel-saml2 package with a new instance of Laravel 5. Unfortunately I am getting this error.

The status code of the Response was not Success, was Responder -> urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext

Any thoughts on how what this error means? I am sure it is some type of configuration issue. I am just not familiar enough with SAML to know which side the error is coming from ADFS IDP or my OneLogin configuration.

I was able to connect and login successfully with a PHPSimpleSaml implementation. However, OneLogin gives me more flexibility. This is why I wanted to use this package.

I would appreciate any suggestions. Thanks.

@pitbulk
Copy link
Contributor

pitbulk commented May 7, 2015

Based on the error that you posted

The status code of the Response was not Success, was Responder -> urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext

I can say that ADFS received an AuthNRequest with an AuthnContext that is not supported (maybe due a configuration problem).

The Status is the way how an IdP can provide to the SP that something went wrong, in this case
"status:NoAuthnContext" instead the "status:Success".

By default, OneLogin's SP is configured to send an AuthNRequest with
'PasswordProtectedTransport' as AuthnContext
so ADFS should have this AuthContext enabled, otherwise you obtain an error.

In order to fix it you have 2 choices:

  • Allow in ADFS the 'PasswordProtectedTransport' AuthnContext
  • Review what AuthnContext is supported on ADFS and configure it on your SP. You can do it using the 'requestedAuthnContext' parameter on the advanced_settings.php:
// Authentication context.
// Set to false and no AuthContext will be sent in the AuthNRequest,
// Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
'requestedAuthnContext' => true,

@nathan-isaac
Copy link
Author

After setting requestedAuthnContext to false I was able to login.

Thanks.

@krishnasathyanarayana
Copy link

We too notice this problem with many customers, especially the ones with kerberos, cert and other forms of authentication. This fails even if the PasswordProtectedTransport is enabled on IDP as we are using exact. The default set by onelogin libary should be requestedAuthnContext to false by default or all the contexts should be sent for selecting any. The default's should not be very restrictive. Can we have this changed in the next version, please?

@pitbulk
Copy link
Contributor

pitbulk commented Mar 29, 2016

@krishnasathyanarayana

I agree that set "exact PasswordProtectedTransport" as default requestedAuthnContext was not the right decision.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants