Canonicalization flow c14n/SAML2ProxyTransform was not applicable: reason unknown
Tomas Stenlund
tomas.stenlund at telia.com
Mon Jan 3 15:16:58 UTC 2022
Thanks Scott!
On 2022-01-03 14:27, Cantor, Scott wrote:
> On 1/3/22, 1:02 AM, "users on behalf of Tomas Stenlund via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
>
>> I have added urn:oasis:names:tc:SAML:2.0:nameid-format:persistent to the
>> ProxyNameTransformFormats and added the entityID:s in the
>> ProxyNameTransformPredicate:s.
> The error message would imply you didn't. About the only scenario I can think of is for the predicate check for the IdP to be returning false.
But the other Assert works and have the same nameid-format and if I
remove that one both stops working, so I guess that would not be it. But
probably predicate check, I'll experiment a bit more :-)
>> And the SAMLSubjectCanonicalizationFlows looks like this.
> Proxying is a post-login use case, handled by the first list of mechanisms in the file, not the second. The other list only applies to very esoteric use cases, primarily attribute queries.
>
> More to the point: NameIDs need to be killed off. Don't use them, and don't proxy based on them. Use attributes.
Well, after mailing the question I did a parallel track and use
attributes instead and that one is working perfectly for both IdP:s :-)
>
> -- Scott
>
>
/Tomas
More information about the users
mailing list