Shibboleth SP 2.5.4 and empty SubjectLocality element in SAML Assertion

Leppälä, Arttu arttu.leppala at
Fri May 8 09:11:46 EDT 2015


I upgraded our Shibboleth SP to the current version 2.5.4 this week. After the update, I got error reports from certain IdP organizations that their users cannot log in to our service. After going through log files, I noticed that the SP is refusing assertions from certain IdP's, claiming that the assertion has a SubjectLocality element value that is not an Address or DNSName. The error message from Shibd.log is as follows:

2015-05-08 14:59:51 WARN Shibboleth.SSO.SAML2 [27]: detected a problem with assertion: SubjectLocality must have Address or DNSName.

The Assertion in question contains the element, but no value. The processing of the Assertion seems to cease when it encounters this. I also checked the case from previous version logs, and there is no such warning there, even though assertions from the same IdP's which now do not work, were working.

If I read the specification  correctly, the SubjectLocality element having no value is valid SAML and the SP should accept the assertion (checkAddress-setting is false (default) in the Shibboleth2.xml config). The user trying to log in is getting an error from IIS (where the ISAPI Filter is installed).

Is this a known issue, is there a workaround for telling the SP to not check the element? This functionality seems to have changed between versions 2.5.3 and 2.5.4.

Thank you in advance!

Arttu Leppälä

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list