Menu
▾
▴
Re: [Unity-idm-discuss] Fwd: Re: Nullpointer when SP tries to access IDP
|
From: Krzysztof B. <kb...@un...> - 2017-06-15 11:11:43
|
Hi Willem, OK, so everything is clear now. The key parts are: W dniu 14.06.2017 o 13:41, Willem Elbers pisze: > 9: Condition: > true > Action: > createAttribute > Action parameters: > attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.10 > expression = idsByType['targetedPersistent'][0] > mandatory = false > attributeDisplayName = > attributeDescription = > 10: Condition: > true > Action: > createAttribute > Action parameters: > attributeName = urn:mace:dir:attribute-def:eduPersonTargetedID > expression = idsByType['targetedPersistent'][0] > mandatory = false > attributeDisplayName = > attributeDescription = > together with: > The SAML request from SP -> IdP: ... > <samlp:NameIDPolicy > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" > AllowCreate="false" > /> So the client is requesting a transient identity (i.e. that after authentication of a user, Unity should return it a response assertion with an identity of the user of 'transient' type). The transient identity by definition is session&requester scoped: so that any other SP should get a different transient identifier for the same user and (!) this particular SP should get a different identifier for the same user in the next session (so after logout). At the same time SP sets AllowCreate=false, what tells Unity that it should not create any new identifier for the user - only some already existing can be returned. So this has no sense together. This request can be only served when the user was previously authenticated *to the same SP and in the same SSO session*. The first authentication from this SP to Unity will never work as a new transient identity needs to be generated exactly then. The error you get is from profile: 'targetedPersistent' identity is also not created for this user as AllowCreate=false prevents it too. This can be fixed with a proper condition. However the request won't be served anyway as after profile processing unity won't have the transient identity to be put into response. Shortly speaking: AllowCreate should be true or Format changed to some fixed identity. And fix the profile as it shouldn't assume that some dynamic identity is always present. Best Krzysztof |
