NoAuthnContext

[nathan-isaac]

I am not all that familiar with SAML so bare with me.

I just installed the https://github.com/aacotroneo/laravel-saml2 package with a new instance of Laravel 5. Unfortunately I am getting this error.

The status code of the Response was not Success, was Responder -> urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext

Any thoughts on how what this error means? I am sure it is some type of configuration issue. I am just not familiar enough with SAML to know which side the error is coming from ADFS IDP or my OneLogin configuration.

I was able to connect and login successfully with a PHPSimpleSaml implementation. However, OneLogin gives me more flexibility. This is why I wanted to use this package.

I would appreciate any suggestions. Thanks.

[pitbulk]

Based on the error that you posted

The status code of the Response was not Success, was Responder -> urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext

I can say that ADFS received an AuthNRequest with an AuthnContext that is not supported (maybe due a configuration problem).

The Status is the way how an IdP can provide to the SP that something went wrong, in this case
"status:NoAuthnContext" instead the "status:Success".

By default, OneLogin's SP is configured to send an AuthNRequest with
'PasswordProtectedTransport' as AuthnContext so ADFS should have this AuthContext enabled, otherwise you obtain an error.

In order to fix it you have 2 choices:

• Allow in ADFS the 'PasswordProtectedTransport' AuthnContext
• Review what AuthnContext is supported on ADFS and configure it on your SP. You can do it using the 'requestedAuthnContext' parameter on the advanced_settings.php:

// Authentication context.
// Set to false and no AuthContext will be sent in the AuthNRequest,
// Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
'requestedAuthnContext' => true,

[nathan-isaac]

After setting requestedAuthnContext to false I was able to login.

Thanks.

[krishnasathyanarayana]

We too notice this problem with many customers, especially the ones with kerberos, cert and other forms of authentication. This fails even if the PasswordProtectedTransport is enabled on IDP as we are using exact. The default set by onelogin libary should be requestedAuthnContext to false by default or all the contexts should be sent for selecting any. The default's should not be very restrictive. Can we have this changed in the next version, please?

[pitbulk]

@krishnasathyanarayana

I agree that set "exact PasswordProtectedTransport" as default requestedAuthnContext was not the right decision.