search

SAML-Toolkits / php-saml

Simple SAML toolkit for PHP
MIT License
1.23k stars 471 forks source link

AADSTS7500530: SAML NameId cannot be null. #511

Closed sanjay7m closed 1 year ago

sanjay7m commented 2 years ago

First of all thank for helping in the following issue .I have tried many solutions but none worked. we are using onelogin and azure as the IDP. SSo is all working fine but SLO is not working. With onloging its working fine but not with azure giving the following error. When trying to logout from the sp end get the following error SAML NameId cannot be null. Can you help plz. <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" Destination="https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2" IssueInstant="2022-02-02T20:36:13Z" ID="_afd76ec0-6695-013a-8f89-456ec9dc46a9"

https://xxxxxxxx.onelogin.com/sp/xxxx-6dd3e57c7f5c
elirenato commented 2 years ago

Hi @sanjay7m,

I had the same problem recently. Set the nameIdEncrypted of the security settings to false to see and the nameId will be sent in the request.

I'm still strugling with the logout now but for another reason that I don't know yet.

Regards,

Eli

sanjay7m commented 2 years ago

HI @elirenato thank you for response. Actually first it sends the request to the onlogin(https://xxx.onelogin.com/trust/saml2/launch/1234567) then it redirects to the azure. The first request that is sent to the onelogin has the nameid but the second redirect to the azue is missing the namid format. And its strange as i have no idea of where this redirect is set up as that url seems to be redirected from the (https://xxx.onelogin.com/trust/saml2/launch/1234567) And also i have not set the nameIdEncrypted as true.

pitbulk commented 2 years ago

have you tried with 'wantNameId' setting?

sanjay7m commented 2 years ago

Hi @pitbulk thank you for your response, yes this settings is as below 'wantNameId' => true, but not working

pitbulk commented 2 years ago

Set

'wantNameId' => false,
sanjay7m commented 2 years ago

Hi @pitbulk thanks for helping here is but i am getting after

Set to false but getting the below error only on singel logout and sso is working fine.

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_39898d70-6c8a-013a-6fd0-07379c3c81aa" Version="2.0" IssueInstant="2022-02-10T10:29:17Z" Destination="https://login.microsoftonline.com/xxxxxxxxxxxxxxxxx/saml2"

https://givingtrax.onelogin.com/sp/xxxxxxxxxxxx

And this one is screenshost

image

pitbulk commented 1 year ago

It seems that ADFS for the SLO to work requires a NameID to be provided, so you will need to setup it to be included in the SAMLResponse, to be later available for the SLO process.

Read this documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization