IDP4 and onelogin

Cantor, Scott cantor.2 at
Tue May 5 11:38:22 EDT 2020

On 5/5/20, 11:30 AM, "users on behalf of Jerry Bailie" <users-bounces at on behalf of jebailie at> wrote:

> The assertion from OL to our IDP works 

If that were true, the log message you posted would be impossible since that's code from the validation of the proxied assertion by the IdP.

Either you fed OneLogin the wrong entityID to act on or it's not including the entityID in an AudienceRestriction condition in the assertion in accordance with the specification. Probably the latter given that OneLogin is commercial SAML, and therefore more or less non-compliant by definition.

-- Scott

More information about the users mailing list