PicketLink IDP Missing AuthnStatement in Response
matthew.hayes Jan 21, 2011 4:33 AMI'm having an issue where the IDP is authenticating the user through Kerberos and returning a SAML response but the SAML response does not contain a AuthnStatement. One of the SPs requires one, is this something that needs to be configured?
Here is an emaple of the request and response
<ns3:AuthnRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
AssertionConsumerServiceURL="http://my.company.pvt:8080/seam-sp/AssertionConsumerService.seam"
Destination="http:/my.company.pvt/idp/" ID="ID_4358f9cc-ac51-498f-9c99-9eefad48f6ee"
IssueInstant="2011-01-20T17:06:19.819-05:00"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<Issuer>http://my.company.pvt/seam-sp</Issuer>
</ns3:AuthnRequest>
<ns3:Response xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
Destination="http://my.company.pvt:8080/seam-sp/AssertionConsumerService.seam"
ID="ID_dd3b9ece-8496-425d-8628-ed0d3fe15f81"
InResponseTo="ID_4358f9cc-ac51-498f-9c99-9eefad48f6ee"
IssueInstant="2011-01-20T17:06:23.557-05:00"
Version="2.0">
<Issuer>http://my.company.pvt/idp/</Issuer>
<ns3:Status>
<ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</ns3:Status>
<Assertion ID="ID_e9087d3f-bc2d-41a7-ad56-a3e173373fca" IssueInstant="2011-01-20T17:06:23.530-05:00" Version="2.0">
<Issuer>http://my.company.pvt/idp/</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">me@my.company.pvt</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ID_4358f9cc-ac51-498f-9c99-9eefad48f6ee" NotBefore="2011-01-20T17:06:23.530-05:00" NotOnOrAfter="2011-01-20T17:06:23.530-05:00" Recipient="http://my.company.pvt:8080/seam-sp/AssertionConsumerService.seam"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2011-01-20T17:06:23.530-05:00" NotOnOrAfter="2011-01-20T17:11:23.530-05:00"/>
<AttributeStatement>
<Attribute FriendlyName="role" Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Technology</AttributeValue>
</Attribute>
<Attribute FriendlyName="role" Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">organizationalPerson</AttributeValue>
</Attribute>
<Attribute FriendlyName="role" Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">person</AttributeValue>
</Attribute>
<Attribute FriendlyName="role" Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">top</AttributeValue>
</Attribute>
<Attribute FriendlyName="role" Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</ns3:Response>