Access Denied

[Cantor, Scott]

> Scott when I look at the logs for our old V2 (production instance) it looks as
> though it's looking for a transient Id to encode.

Transient IDs are completely different in V3, they are never attributes and nothing related to them in the resolver is used in any way. The log should say that explicitly in a warning, and if not you should report that.

What you are doing with a deny rule is not the proper way to configure the IdP. That's why I said that, explicitly, already. That's why the upgrade failed and it will continue to fail.

If you don't want a default choice, the Format must be selected explicitly. Always. There is no other way to get it to work. I don't really know how else to say it. There is no supported means of controlling the Format used except what's documented and it was the same in V2 and V3. You were using an unsupported way of getting an accidental result that happened to fit what you wanted it to do.

-- Scott