SAML 2 error InvalidNameIDPolicy

Dear developers,

we are trying out firezone with SAML 2 authentication. Our IDP sends the response with the error InvalidNameIDPolicy

Firezone is sending a saml request with this NameIDPolicy

<samlp:NameIDPolicy Format="urn:mace:shibboleth:1.0:nameIdentifierurn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

The correct NameIDPolicy for SAML 2 should be only this

<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

Can I set this somehow in the environment or webUI? Many thanks in advance!

Hi @Vinc89 – this is the first time we’ve seen this particular issue. Could you elaborate on which IdP you’re using?

Hi @jamil we are using shibboleth idp. I wanted to set it to ignore the name id policy check somehow, but it’s not possible unfortunately.

@Vinc89 I see, we haven’t tested with that one specifically. Is the Metadata XML correct? IIRC this is what configures the NameID format. We don’t have it hardcoded anywhere.

@jamil many thanks for the hint! I removed urn:mace:shibboleth:1.0:nameIdentifier nameid format from the metadata and now I get a saml response from our idp.

Now I can’t login because of this error
protocol Phoenix.HTML.Safe not implemented for %Plug.Conn.CookieOverflowError{message: "cookie named "_fz_http_key" exceeds maximum size of 4096 bytes

I tried increasing the header max size in the docker environment variable

PHOENIX_HTTP_PROTOCOL_OPTIONS={ "max_header_value_length": 8192 }

But the environment variable did not take effect. The max size is still 4096.
Do you maybe know how the PHOENIX_HTTP_PROTOCOL_OPTIONS should be set correctly?

Unfortunately the cookie size is a browser limitation. Do you have extra (particularly large) attributes encoded into your SAML response? You may try removing those if so – we store the response in the session cookie which can cause problems for large attributes.

In 1.0 this is fixed by persisting the response to the DB instead of the session cookie.

@jamil thank you so much for your guidance! I released only the email attribute and the error is gone and I was able to login.