SAML proxy authentication against something like Azure AD
mgrady at unicon.net
Fri Dec 4 20:47:29 UTC 2020
Why in IdP v4.0.1 are messages like this at the INFO level?
INFO [net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:443] - Profile Action ValidateSAMLAuthentication: No transcoding rule for Attribute 'http://schemas.microsoft.com/identity/claims/tenantid'
Azure AD is going to send back attributes with Microsoft-specific names, and ones that one does not really want to map into being able to accept and release back out. (And that you cannot stop it from sending.) So if you don't care about some attribute in the response, why does the IdP appear to "require one" to do all the config for accepting it --- at least if one doesn't want to have that message logged? (To be fair, the IdP operates fine, its just having that annoying message in the log. I can see that message at the DEBUG level, but not the INFO level. Or have a property/setting that says "consider it ok to have unmapped attributes when the proxied-ti IdP returns a SAML response".
Perhaps there is already an issue logged for this, but I wasn't able to surface such with my searches in Jira.
Michael A. Grady
IAM Architect, Unicon, Inc.
More information about the users