InvalidNameIDPolicy occurs when using multi-factor authentication

Rod Widdowson rdw at steadingsoftware.com
Mon Feb 4 04:43:28 EST 2019


So.  Here is your problem:

1) myLDAP produces three attributes mail, displayName, givenName

> 2019-02-04 00:34:06,103 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:143] - 
> Data Connector 'myLDAP': Attribute 'mail': Values '[StringAttributeValue{value=XXX at example.com}]'
> 2019-02-04 00:34:06,104 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:143] - 
> Data Connector 'myLDAP': Attribute 'displayName': Values '[StringAttributeValue{value=XXX XXX}]'
> 2019-02-04 00:34:06,105 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:143] - 
> Data Connector 'myLDAP': Attribute 'givenName': Values '[StringAttributeValue{value=XXX}]'

Your configuration needs "ImmutableId".  But it isn't there

> 2019-02-03 15:26:47,470 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:227] - 
> Attribute sources [ImmutableID] did not produce a usable identifier

So why isn't your LDAP resolver providing this value.  Only you can tell.  Nate and I both believe its to do with what you are feeding in to it but that is a guess.





More information about the users mailing list