Shibboleth SP 2.5.4 and empty SubjectLocality element in SAML Assertion
arttu.leppala at cgi.com
Fri May 8 09:11:46 EDT 2015
I upgraded our Shibboleth SP to the current version 2.5.4 this week. After the update, I got error reports from certain IdP organizations that their users cannot log in to our service. After going through log files, I noticed that the SP is refusing assertions from certain IdP's, claiming that the assertion has a SubjectLocality element value that is not an Address or DNSName. The error message from Shibd.log is as follows:
2015-05-08 14:59:51 WARN Shibboleth.SSO.SAML2 : detected a problem with assertion: SubjectLocality must have Address or DNSName.
The Assertion in question contains the element, but no value. The processing of the Assertion seems to cease when it encounters this. I also checked the case from previous version logs, and there is no such warning there, even though assertions from the same IdP's which now do not work, were working.
If I read the specification correctly, the SubjectLocality element having no value is valid SAML and the SP should accept the assertion (checkAddress-setting is false (default) in the Shibboleth2.xml config). The user trying to log in is getting an error from IIS (where the ISAPI Filter is installed).
Is this a known issue, is there a workaround for telling the SP to not check the element? This functionality seems to have changed between versions 2.5.3 and 2.5.4.
Thank you in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users