"Federation not found on login" SAML error when NameID not specified in request
Concerned version
Version: 2.16.1
Summary
- Configure a SAML provider with samlSPMetaDataOptionsNameIDFormat=persistent
- In metadata, "persistent" must be the first available NameID format:
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
- The SAMLRequest must not contain a NameIDFormat:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_FDF33840F31FD21FE2C411BE524B3E94" Version="2.0" IssueInstant="2023-05-03T14:20:25Z" Destination="http://auth.idp.com/saml/singleSignOn" ForceAuthn="false" IsPassive="false">
<saml:Issuer>XXX</saml:Issuer>
</samlp:AuthnRequest>
Logs
[Wed May 3 16:21:03 2023] [LLNG:699228] [warn] Lasso error code 601: Federation not found on login
[Wed May 3 16:21:03 2023] [LLNG:699228] [warn] Unable to validate SSO request message
Possible fixes
When users set samlSPMetaDataOptionsNameIDFormat=persistent, we must assume that they also want AllowCreate=1. If the the NameIDFormat is not present in AuthnRequest, we must create it, and set its AllowCreate to 1 to avoid a failure when Lasso checks if federation is allowed