Fwd: Installing Shibboleth idp3 with hubspot as sp: Getting Saml response status code InvalidNameIDPolicy

Youssef Ait Laydi youssef.aitlaydi at gmail.com
Fri Jun 4 15:39:31 UTC 2021 

Hello everybody,

I'm not able to get our shibboleth idp3 to communicate via SSO
with hubspot.

I got this error in saml response:


<saml2p:Status> <saml2p:StatusCode Value=
"urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value=
"urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /> </
saml2p:StatusCode> <saml2p:StatusMessage>An error occurred.</
saml2p:StatusMessage> </saml2p:Status>
I use an external authentication with a jsp servlet with hardcode username
as "test_sso at example.com" as Attribute PRINCIPAL_KEY_NAME.


*try {    final String key =
ExternalAuthentication.startExternalAuthentication(request);    final
String username = "*test_sso at example.com







*";    if (username != null) {
request.setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, username);
  }    ExternalAuthentication.finishExternalAuthentication(key, request,
response);} catch (final ExternalAuthenticationException e) {    throw new
ServletException("Error processing external authentication request", e);}*

In process.log I got:

*Profile Action ValidateExternalAuthentication: External authentication
succeeded for user: test_sso at example.com <test_sso at example.com>*After that
I got in process.log:
WARN: [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] -
Profile Action AddNameIDToSubjects: Request specified use of an
unsupportable identifier format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
occurred while processing the request: InvalidNameIDPolicy

So my SAML request is:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID=
"ONELOGIN_7180ee53-397d-415e-ae56-1f38eeb2cmp3" Version="2.0" IssueInstant=
"2021-06-04T15:10:01Z" Destination="
https://myhostname.com/idp/profile/SAML2/Redirect/SSO" ProtocolBinding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL
="https://api.hubspot.com/login-api/v1/saml/acs?portalId=myPortalId" > <
saml:Issuer>
https://api.hubspot.com/login-api/v1/saml/login?portalId=myPortalId</
saml:Issuer> <samlp:NameIDPolicy Format=
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"
/> </samlp:AuthnRequest>
My sp metadata is:












*<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#
<http://www.w3.org/2000/09/xmldsig#>"
entityID="https://api.hubspot.com/login-api/v1/saml/login?portalId=myPortalId
<https://api.hubspot.com/login-api/v1/saml/login?portalId=myPortalId>">
    <md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="false" WantAssertionsSigned="false">
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://api.hubspot.com/login-api/v1/saml/acs?portalId=myPortalId
<https://api.hubspot.com/login-api/v1/saml/acs?portalId=myPortalId>"/>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
              <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://api.hubspot.com/login-api/v1/saml/acs?portalId=myPortalId
<https://api.hubspot.com/login-api/v1/saml/acs?portalId=myPortalId>"
isDefault="true" index="1"/>                <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://api.hubspot.com/login-api/v1/saml/acs?portalId=myPortalId
<https://api.hubspot.com/login-api/v1/saml/acs?portalId=myPortalId>"
isDefault="true" index="2"/>
</md:SPSSODescriptor></md:EntityDescriptor>*

Note that I didn't change saml-nameid.xml but I
changed saml-nameid.properties:
*idp.nameid.saml2.default =
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress*

In process.log I got also:
INFO [Shibboleth-Audit.SSO:275] -
20210604T151002Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ONELOGIN_7180ee53-397d-415e-ae56-1f38eeb2cfd3|
https://api.hubspot.com/login-api/v1/saml/login?portalId=myPortalId|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://myhostname.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_8524eeefff3a8cbee2f6b31f2fda51ce|test_sso@example.com

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210604/6b76573d/attachment.htm>

More information about the users mailing list