Cherwell application (on-prem)

Lohr, Donald lohrda at
Fri Apr 26 16:55:36 EDT 2019

Not wanting to share too much specific data, which was why I mentioned 

We are not specifically wanting to Shib the thick client, but the 
portal.  We are not choosing the email address, but Windows Login (not 
using email is a long story in and of itself).  In the SP metadata is:


Attempting to follow two different on-line Cherwell documents (public) 
we guessed and put the following in our respected IdP files:

<resolver:AttributeDefinition id="sAMAccountName" xsi:type="ad:Simple" 
     <resolver:Dependency ref="oud" />
     <resolver:AttributeEncoder xsi:type="enc:SAML2String" 
name="sAMAccountName" encodeType="false" />

<afp:AttributeFilterPolicy id="cherwellportal">
         <afp:AttributeRule attributeID="sAMAccountName">
                 <afp:PermitValueRule xsi:type="basic:ANY" />

But we get the following error at login:

*SAML Auth failed: An error occured, SAML status codes: 
urn:oassis:names:tc:SAML:2.0:status:InvalidNameIDPolicy *

We are running Cherwell v9.3.5.x and our Shib IdP is v3.3.3. Our Shib 
IdP is back by a non-AD LDAP directory.

There online docs do not seem to use Shib 3.x speak in their examples.


On 4/26/19 4:18 PM, Cantor, Scott wrote:
> I did a quick review. It's almost vanilla, I'm sending it a NameID in emailAddress format. It had a key and supports encryption. It didn't used to support SHA-2 signatures, but does now. The non-vanilla bit was that I was never able to get it to accept signed responses alone (it claims to, but it didn't work last I tested), so I had to toggle the metadata for it to trigger assertion signing, and that was about all.
> -- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list