Second Office365 Domain requires different "Issuer URI"
daniel.lutz at switch.ch
Mon May 22 02:25:22 EDT 2017
Harald Strack schrieb am 21.05.17 um 23:47:
> 1) idp/profile/SAML2/POST/SSO - Login on Test SP works, but the audit entry in idp-process.log shows the
> defaultEntityId. On the SP side the dynamic entity ID will be shown as Shib-Identity-Provider header (good)
> 2) idp/profile/SAML2/SOAP/ECP - Test script works, but the audit entry in idp-process.log shows the defaultEntityId. In
> the XML output of the ECP testing script contains the dynamic entity ID as Issuer (good)
I ran into this problem, i.e. that the audit entry showed the wrong entity ID. But in the end,
it was no issue in my case. In your case, I guess that the entity ID used for writing the
audit log entry is obtained too early.
In my understanding, the "PostLookupPopulateAuditContext" action in the "saml.abstract" flow
is responsible for obtaining the entity ID written to the audit log. This action is run
before authentication and attribute resolution occur, therefore the required
attribute is not yet available, and the default entity ID is returned.
I'm not sure how this can be fixed.
More information about the users