Fwd: Installing Shibboleth idp3 with hubspot as sp: Getting Saml response status code InvalidNameIDPolicy

Peter Schober peter.schober at univie.ac.at
Fri Jun 4 23:02:03 UTC 2021

* Youssef Ait Laydi <youssef.aitlaydi at gmail.com> [2021-06-04 23:21]:
> <AttributeDefinition id="mail" xsi:type="PrincipalName">
> <AttributeEncoder xsi:type="SAML1String"
> name="urn:mace:dir:attribute-def:mail" />        <AttributeEncoder
> xsi:type="SAML2String" name="urn:oid:"
> friendlyName="mail" />    </AttributeDefinition>

I don't think (and your logs confirm) that this isn't sufficient to
get at the value from your external authentication mechanism.

> And this configuration on *relying-party.xml*

There's not need to override the nameIDFormatPrecedence when the
metadata for the SP already specifies the desired NameIDFormat.
(If in doubt see the Format selection part of the IDP documentation.)

> I don't know how to get attributeSourceIds?

Well, you managed to create your own external authentication method so
I guess you'll just have to continue reading the documentation to
learn about subject canonicalization and then how to pull the desired
info into an attribute in your resolver.

> WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:93] - Relay state
> exceeds 80 bytes: {"loginEmail":"test_sso at example.com
> ","loginType":"CONFIRMATION","redirect":"
> https://app.hubspot.com/settings-sso-confirm","rememberLogin":false}

I have no idea what exaclty is the value of your RelayState from the
line above but you can as far as "Relay state exceeds 80 bytes" goes
you can ignore it.


More information about the users mailing list