Canonicalization flow c14n/SAML2ProxyTransform was not applicable: reason unknown
Cantor, Scott
cantor.2 at osu.edu
Mon Jan 3 13:27:04 UTC 2022
On 1/3/22, 1:02 AM, "users on behalf of Tomas Stenlund via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> I have added urn:oasis:names:tc:SAML:2.0:nameid-format:persistent to the
> ProxyNameTransformFormats and added the entityID:s in the
> ProxyNameTransformPredicate:s.
The error message would imply you didn't. About the only scenario I can think of is for the predicate check for the IdP to be returning false.
> And the SAMLSubjectCanonicalizationFlows looks like this.
Proxying is a post-login use case, handled by the first list of mechanisms in the file, not the second. The other list only applies to very esoteric use cases, primarily attribute queries.
More to the point: NameIDs need to be killed off. Don't use them, and don't proxy based on them. Use attributes.
-- Scott
More information about the users
mailing list