Canonicalization flow c14n/SAML2ProxyTransform was not applicable: reason unknown

Mon Jan 3 06:02:07 UTC 2022

Hi,

I have a problem with one IdP out of two when I use 
c14n/SAML2ProxyTransform for the PostLoginSubjectCanonicalizationFlows 
during SelectSubjectCanonicalizationFlow. It does not say much, more 
than the statement above in the email subject.

I have added urn:oasis:names:tc:SAML:2.0:nameid-format:persistent to the 
ProxyNameTransformFormats and added the entityID:s in the 
ProxyNameTransformPredicate:s. And the SAMLSubjectCanonicalizationFlows 
looks like this.

     <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">

<ref bean="c14n/SAML2Transient" />
         <ref bean="c14n/SAML2CryptoTransient" />
         <ref bean="c14n/SAML1Transient" />
         <ref bean="c14n/SAML1CryptoTransient" />

         <!--
         Finally we have beans for decoding arbitrary SAML formats 
directly. By default, these are turned off,
         having *no* circumstances for which they apply (see 
shibboleth.TransformNamePredicate below).
         -->
         <ref bean="c14n/SAML2Transform" />
         <ref bean="c14n/SAML1Transform" />
     </util:list>

Any idea where I should start looking, there is something I am obviously 
missing :-)

This is the assert that fails:

<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
ID="_d29f82767d25f25d81dd7c8d00f7304f" 
IssueInstant="2022-01-03T05:26:33.516Z" Version="2.0" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer>https://dev.connector.swedenconnect.se/eidas</saml2:Issuer>
     <saml2:Subject>
         <saml2:NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
NameQualifier="https://dev.connector.swedenconnect.se/eidas" 
SPNameQualifier="https://galatea.stenlund.eu/proxy">HhZkCxP7GkZ2zOCAIqyu+U5/8wk=</saml2:NameID>
         <saml2:SubjectConfirmation 
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
             <saml2:SubjectConfirmationData Address="XXXXXXXXX" 
InResponseTo="_311311a20c67645d7a7a780618e773a5" 
NotOnOrAfter="2022-01-03T05:31:33.552Z" Recipient="XXXXXXXXXXXXXXX"/>
         </saml2:SubjectConfirmation>
     </saml2:Subject>
     <saml2:Conditions NotBefore="2022-01-03T05:26:33.516Z" 
NotOnOrAfter="2022-01-03T05:31:33.516Z">
         <saml2:AudienceRestriction>
<saml2:Audience>https://galatea.stenlund.eu/proxy</saml2:Audience>
         </saml2:AudienceRestriction>
     </saml2:Conditions>
     <saml2:AuthnStatement AuthnInstant="2022-01-03T05:26:32.938Z" 
SessionIndex="_034a622b0c5a0d2d177d81b91187c03b">
         <saml2:SubjectLocality Address="XXXXXXXXXX"/>
         <saml2:AuthnContext>
<saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/eidas-nf-sub</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>https://xa.testnode.eidastest.se/EidasNode/ServiceMetadata</saml2:AuthenticatingAuthority>
         </saml2:AuthnContext>
     </saml2:AuthnStatement>
     <saml2:AttributeStatement>
         <saml2:Attribute FriendlyName="c" Name="urn:oid:2.5.4.6" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">XA</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="pridPersistence" 
Name="urn:oid:1.2.752.201.3.5" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">A</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="givenName" 
Name="urn:oid:2.5.4.42" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">Bernt Olof</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="transactionIdentifier" 
Name="urn:oid:1.2.752.201.3.2" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">_6w_0xAkmYOld5rgYIBHG-HsrpcCmPK4vqp.LHcrArv336yD6MHTpzt8ks9wzq53</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="eidasPersonIdentifier" 
Name="urn:oid:1.2.752.201.3.7" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">XA/SE/193911137077</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="prid" 
Name="urn:oid:1.2.752.201.3.4" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">XA:193911137077</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="dateOfBirth" 
Name="urn:oid:1.3.6.1.5.5.7.9.1" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">1939-11-13</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">Larsson</saml2:AttributeValue>
         </saml2:Attribute>
     </saml2:AttributeStatement>
</saml2:Assertion>

This is the assert that works:

<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
ID="_2416d5c8a2d5038bc017234e5cd7c0cd" 
IssueInstant="2022-01-03T04:42:45.353Z" Version="2.0" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer>http://dev.test.swedenconnect.se/idp</saml2:Issuer>

     </ds:Signature>

     <saml2:Subject>
         <saml2:NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
NameQualifier="http://dev.test.swedenconnect.se/idp"
SPNameQualifier="https://galatea.stenlund.eu/proxy">VIVQWeo4duddDJ3B+ELb5++cjiI=</saml2:NameID>
         <saml2:SubjectConfirmation 
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
             <saml2:SubjectConfirmationData Address="XXXXXXXXXXXXXX" 
InResponseTo="_45fbbe69b6537b8ffb3fe61fcce30ba1" 
NotOnOrAfter="2022-01-03T04:47:45.398Z" Recipient="XXXXXXXXXXXXX"/>
         </saml2:SubjectConfirmation>
     </saml2:Subject>

     <saml2:Conditions NotBefore="2022-01-03T04:42:45.353Z" 
NotOnOrAfter="2022-01-03T04:47:45.353Z">
         <saml2:AudienceRestriction>
<saml2:Audience>https://galatea.stenlund.eu/proxy</saml2:Audience>
         </saml2:AudienceRestriction>
     </saml2:Conditions>

     <saml2:AuthnStatement AuthnInstant="2022-01-03T04:42:45.308Z" 
SessionIndex="_6870321ff2f05f504901161781ec19e9">
         <saml2:SubjectLocality Address="XXXXXXXXXXXXXXX"/>
         <saml2:AuthnContext>
<saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
         </saml2:AuthnContext>
     </saml2:AuthnStatement>

     <saml2:AttributeStatement>
         <saml2:Attribute FriendlyName="personalIdentityNumber" 
Name="urn:oid:1.2.752.29.4.13" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">197802031877</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="displayName" 
Name="urn:oid:2.16.840.1.113730.3.1.241" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">Tryggve Bäckström</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="givenName" 
Name="urn:oid:2.5.4.42" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">Tryggve</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="dateOfBirth" 
Name="urn:oid:1.3.6.1.5.5.7.9.1" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">1978-02-03</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xsd:string">Bäckström</saml2:AttributeValue>
         </saml2:Attribute>
     </saml2:AttributeStatement>

</saml2:Assertion>

/Tomas

Failure LOG:

2022-01-03 05:26:33,998 - 192.168.1.1 - TRACE 
[net.shibboleth.idp.saml.authn.principal.impl.MapDrivenAuthnContextTranslationStrategy:100] 
- Passing unmapped value 'http://id.elegnamnden.se/loa/1.0/eidas-nf-sub' 
through
2022-01-03 05:26:33,998 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:317] 
- Profile Action ValidateSAMLAuthentication: Added translated 
AuthnContext Principals: [http://id.elegnamnden.se/loa/1.0/eidas-nf-sub]
2022-01-03 05:26:33,999 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:340] 
- Profile Action ValidateSAMLAuthentication: Adding filtered inbound 
attributes to Subject
2022-01-03 05:26:34,000 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:281] 
- Profile Action ValidateSAMLAuthentication: Resetting authentication 
time to proxied value: 2022-01-03T05:26:32.938Z
2022-01-03 05:26:34,019 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext:75] 
- Profile Action PopulateSubjectCanonicalizationContext: Installing 1 
canonicalization flows into SubjectCanonicalizationContext
2022-01-03 05:26:34,020 - 192.168.1.1 - INFO [Shibboleth-Audit.SSO:283] 
- 
192.168.1.1||2022-01-03T05:26:34.020782Z||https://dev.connector.swedenconnect.se/eidas|_d29f82767d25f25d81dd7c8d00f7304f|http://id.elegnamnden.se/loa/1.0/eidas-nf-sub|2022-01-03T05:26:32.938Z|prid,givenName,sn|HhZkCxP7GkZ2zOCAIqyu+U5/8wk=|persistent||false||Redirect|POST||Success|||Mozilla/5.0 
(X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
2022-01-03 05:26:34,041 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] - 
Profile Action SelectSubjectCanonicalizationFlow: Checking 
canonicalization flow c14n/SAML2ProxyTransform for applicability...
2022-01-03 05:26:34,042 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:167] 
- Attempting to match format 
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
2022-01-03 05:26:34,042 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:185] 
- NameIDCanonicalizationFlowDescriptor c14n/SAML2ProxyTransform: format 
matches urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2022-01-03 05:26:34,042 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:106] - 
Profile Action SelectSubjectCanonicalizationFlow: Canonicalization flow 
c14n/SAML2ProxyTransform was not applicable: reason unknown
2022-01-03 05:26:34,042 - 192.168.1.1 - ERROR 
[net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:78] - 
Profile Action SelectSubjectCanonicalizationFlow: No potential flows 
left to choose from, canonicalization will fail
2022-01-03 05:26:34,044 - 192.168.1.1 - INFO 
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:142] - Profile 
Action SelectAuthenticationFlow: Moving incomplete flow authn/SAML to 
intermediate set
2022-01-03 05:26:34,044 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:274] - Profile 
Action SelectAuthenticationFlow: No specific Principals requested
2022-01-03 05:26:34,044 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:277] - Profile 
Action SelectAuthenticationFlow: Forced authentication requested, 
selecting an inactive flow
2022-01-03 05:26:34,044 - 192.168.1.1 - INFO 
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:281] - Profile 
Action SelectAuthenticationFlow: No potential flows left to choose from, 
authentication failed

Success LOG:

2022-01-03 04:42:45,767 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:317] 
- Profile Action ValidateSAMLAuthentication: Added translated 
AuthnContext Principals: [http://id.elegnamnden.se/loa/1.0/loa3]
2022-01-03 04:42:45,768 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:340] 
- Profile Action ValidateSAMLAuthentication: Adding filtered inbound 
attributes to Subject
2022-01-03 04:42:45,769 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:281] 
- Profile Action ValidateSAMLAuthentication: Resetting authentication 
time to proxied value: 2022-01-03T04:42:45.308Z
2022-01-03 04:42:45,786 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext:75] 
- Profile Action PopulateSubjectCanonicalizationContext: Installing 1 
canonicalization flows into SubjectCanonicalizationContext
2022-01-03 04:42:45,788 - 192.168.1.1 - INFO [Shibboleth-Audit.SSO:283] 
- 
192.168.1.1||2022-01-03T04:42:45.788013Z||http://dev.test.swedenconnect.se/idp|_2416d5c8a2d5038bc017234e5cd7c0cd|http://id.elegnamnden.se/loa/1.0/loa3|2022-01-03T04:42:45.308Z|sn,personalIdentityNumber,displayName,givenName|VIVQWeo4duddDJ3B+ELb5++cjiI=|persistent||false||Redirect|POST||Success|||Mozilla/5.0 
(X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
2022-01-03 04:42:45,810 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] - 
Profile Action SelectSubjectCanonicalizationFlow: Checking 
canonicalization flow c14n/SAML2ProxyTransform for applicability...
2022-01-03 04:42:45,811 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:167] 
- Attempting to match format 
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
2022-01-03 04:42:45,811 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:185] 
- NameIDCanonicalizationFlowDescriptor c14n/SAML2ProxyTransform: format 
matches urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2022-01-03 04:42:45,812 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:83] - 
Profile Action SelectSubjectCanonicalizationFlow: Selecting 
canonicalization flow c14n/SAML2ProxyTransform
2022-01-03 04:42:45,853 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:167] 
- Attempting to match format 
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
2022-01-03 04:42:45,854 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.saml.nameid.impl.NameIDCanonicalization$ActivationCondition:185] 
- NameIDCanonicalizationFlowDescriptor c14n/SAML2ProxyTransform: format 
matches urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2022-01-03 04:42:45,858 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.session.impl.DetectIdentitySwitch:148] - Profile 
Action DetectIdentitySwitch: No previous session found, nothing to do
2022-01-03 04:42:45,858 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.FinalizeAuthentication:116] - Profile 
Action FinalizeAuthentication: Canonical principal name was established 
as 'VIVQWeo4duddDJ3B+ELb5++cjiI='
2022-01-03 04:42:45,859 - 192.168.1.1 - DEBUG 
[net.shibboleth.idp.authn.impl.FinalizeAuthentication:173] - Profile 
Action FinalizeAuthentication: Request did not have explicit 
authentication requirements, result is accepted