Canonicalization flow c14n/SAML2ProxyTransform was not applicable: reason unknown

Tomas Stenlund tomas.stenlund at
Mon Jan 3 15:16:58 UTC 2022

Thanks Scott!

On 2022-01-03 14:27, Cantor, Scott wrote:
> On 1/3/22, 1:02 AM, "users on behalf of Tomas Stenlund via users" <users-bounces at on behalf of users at> wrote:
>>     I have added urn:oasis:names:tc:SAML:2.0:nameid-format:persistent to the
>>     ProxyNameTransformFormats and added the entityID:s in the
>>     ProxyNameTransformPredicate:s.
> The error message would imply you didn't. About the only scenario I can think of is for the predicate check for the IdP to be returning false.
But the other Assert works and have the same nameid-format and if I 
remove that one both stops working, so I guess that would not be it. But 
probably predicate check, I'll experiment a bit more :-)
>> And the SAMLSubjectCanonicalizationFlows looks like this.
> Proxying is a post-login use case, handled by the first list of mechanisms in the file, not the second. The other list only applies to very esoteric use cases, primarily attribute queries.
> More to the point: NameIDs need to be killed off. Don't use them, and don't proxy based on them. Use attributes.

Well, after mailing the question I did a parallel track and use 
attributes instead and that one is working perfectly for both IdP:s :-)

> -- Scott

More information about the users mailing list