IDP4 and onelogin

[Jerry Bailie]

Yes, that is the configuration we're using.

Using samltest.id, we're almost there...

samltest.id (SP) --> our IDP --> OneLogin (authenticate) --> our IDP -->
-X-> samltest.id

The assertion from OL to our IDP works ( a couple of attributes passed on),
but the assertion from our IDP to samltest.id fails (note the capital X in
the flow)

This is the message in the idp-process.log

2020-05-05 11:11:28,694 - xxx.xxx.xxx.xxx - DEBUG
[org.opensaml.saml.saml2.assertion.SAML20AssertionValidator:596] -
Condition '{urn:oasis:names:tc:SAML:2.0:assertion}AudienceRestriction' of
type 'null' in assertion 'A2b767cba81615850cb88c25ba4b76a91bb9c06c9' was
not valid.: None of the audiences within Assertion
'A2b767cba81615850cb88c25ba4b76a91bb9c06c9' matched the list of valid
audiences

My guess it has something to do with the relying-party.xml file as it is
mentioned in the SAMLAuthConfiguration.  I just don't know what.

- Jerry

On Fri, May 1, 2020 at 1:37 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 5/1/20, 1:28 PM, "users on behalf of Jerry Bailie" <
> users-bounces at shibboleth.net on behalf of jebailie at vassar.edu> wrote:
>
> > We have been made aware the v4 of IDP supports such endeavors natively.
> Any direction / guidance would be greatly
> > appreciated !
>
> Well, that's the SAML proxying feature.
>
> https://wiki.shibboleth.net/confluence/display/IDP4/SAMLAuthnConfiguration
>
> But I would say the docs are in a state that's targeted more at people
> quite familiar with the IdP already, I don't know how complete they are at
> this point.
>
> -- Scott
>
>
>
>
>
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200505/fbc72fc5/attachment.html>