Hi,

I have specific problem where NAM is acting as SAML identity broker between external SP and external IDP.
When user tries to access SP, he is redirected first to NAM and then to external IDP. After successful authentication on external IDP user is redirected back to NAM (together with SAML response), where user is matched to local directory. Then NAM redirects user to final SP (with new SAML response).

When that happens user gets error:
Code:
AuthenticatingAuthority array contains a value which is not a wellformed absolute uri
Part of SAML response for final SP (generated by NAM) is also AuthnContext, which looks like:
Code:
<saml:AuthnContext>
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:ProtectedPassword</saml:AuthnContextClassRef>
    <saml:AuthnContextDeclRef>--- NAM contract URI ---</saml:AuthnContextDeclRef>
    <saml:AuthenticatingAuthority>--- external IDP entityID ---</saml:AuthenticatingAuthority>
</saml:AuthnContext>
Problem lies with "external IDP entityID". External IDP metadata has entityID which is not absolute URI (e.g. idporten.difi.no-v3), but final SP expects AuthenticatingAuthority to be absolute URI.
It might be that problem is with external IDP, because (based on https://docs.oasis-open.org/security...e-2.0-os.pdf):
1.3.2 URI Values
...
Unless otherwise indicated in this specification, all URI reference values used within SAML-definedelements or attributes MUST consist of at least one non-whitespace character, and are REQUIRED to be absolute [RFC 2396].
I'm afraid there's no way we'll get external IDP to change entityID URI. And getting external SP to change code and stop checking if parameter is in correct format is also not very likely...

Question: Does anybody knows if it is possible to drop (or reformat) AuthenticatingAuthority value when NAM constructs SAML response? Or is there any other way solving this (without changing external IDP or SP)?

I know there is possibility to drop AuthnContextClassRef and AuthnContextDeclRef with "SAML2 AVOID AUTHNCONTEXT CLASS REFERENCE" and "SAML2 AVOID AUTHNCONTEXT DECLARATION REFERENCE".