IdP initiated SSO

Mike Flynn shibbolethlynda at
Thu Feb 7 16:23:09 EST 2013

Thanks.  That leads me to the next item:

Unable to locate satisfiable bearer SubjectConfirmation in assertion.

Googling that produced a lot of code samples that generate the message but little else...

 From: Brent Putman <putmanb at>
To: users at 
Sent: Thursday, February 7, 2013 1:08 PM
Subject: Re: IdP initiated SSO

On 2/7/13 3:43 PM, Mike Flynn wrote:

The Idp tried both of these: 
><saml:Conditions NotBefore="2013-02-07T19:51: 27Z" NotOnOrAfter="2013-02-07T19: 57:27Z">
><saml:Conditions NotBefore="2013-02-07T19:46: 48Z" NotOnOrAfter="2013-02-07T19: 52:48Z">
></ AudienceRestrictionCondition>
>And gets this error with either one:
>xmltooling:: UnmarshallingException at ( Shibboleth.sso/SAML2/POST)
>Invalid child element: AudienceRestriction

It's missing the namespace prefix.  If they're binding the SAML
    namespace URI to prefix "saml", then those elements would be
    saml:AudienceRestriction, saml:Audience, etc.

AudienceRestrictionCondition doesn't exist in SAML. It should be
    similar to the first one you have above.

To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list