InvalidNameIDPolicy occurs when using multi-factor authentication
Rod Widdowson
rdw at steadingsoftware.com
Mon Feb 4 04:43:28 EST 2019
So. Here is your problem:
1) myLDAP produces three attributes mail, displayName, givenName
> 2019-02-04 00:34:06,103 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:143] -
> Data Connector 'myLDAP': Attribute 'mail': Values '[StringAttributeValue{value=XXX at example.com}]'
> 2019-02-04 00:34:06,104 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:143] -
> Data Connector 'myLDAP': Attribute 'displayName': Values '[StringAttributeValue{value=XXX XXX}]'
> 2019-02-04 00:34:06,105 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:143] -
> Data Connector 'myLDAP': Attribute 'givenName': Values '[StringAttributeValue{value=XXX}]'
Your configuration needs "ImmutableId". But it isn't there
> 2019-02-03 15:26:47,470 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:227] -
> Attribute sources [ImmutableID] did not produce a usable identifier
So why isn't your LDAP resolver providing this value. Only you can tell. Nate and I both believe its to do with what you are feeding in to it but that is a guess.
More information about the users
mailing list