Shibboleth 4.2.1. Identity Provider and OneTrust (SP)

Stefano Bridi s.bridi at enginsoft.com
Fri May 13 09:15:37 UTC 2022 

Hi all, I'm trying to achieve OneTrust authentication against our
Shibboleth 4 IdP and faced up with three obstacle:

First obstacle: Onetrust (at least on app-de) provides separately
metadata.xml and the certificates.
Solved "forging" by hand a new metadata.xml with all the certificates
inside and that point seems to be solved: are there better solutions? I saw
through the docs that other IDPs (Okta and Azure by example) manage the
certificates separately. Is it possible to do the same with Shibboleth IDP?

Second obstacle: NameIDFormat only unspecified
(urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified), since in the past
I had the same issue with the metadata provided to me at the time (with
Google as SP) i fixed in the same way, could be a source of problems?
     <!--
md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat-->

 <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

Third obstacle: I still not able to log-in on OneTrust but on the IDP side
to me it seems all correct and in the log ( slightly anonymized) I found:

2022-05-13 10:14:05,657 - 10.xx.xx.15 - INFO
[net.shibboleth.idp.authn.impl.FinalizeAuthentication:196] - Profile Action
FinalizeAuthentication: Principal testuser authenticated
2022-05-13 10:14:06,270 - 10.xx.xx.15 - INFO
[net.shibboleth.idp.saml.session.impl.SAML2SPSessionCreationStrategy:127] -
Creating BasicSPSession in the absence of necessary information
2022-05-13 10:14:06,577 - 10.xx.xx.15 - WARN
[org.opensaml.saml.common.binding.SAMLBindingSupport:94] - Relay state
exceeds 80 bytes:
ZW1haWw6cy5icmlkaUBlbmdpbnNvZnQuY29tJm9yaWdpbkhvc3Q6ZW5naW5zb2Z0Lm15Lm9uZXRydXN0LmNvbQ==
2022-05-13 10:14:06,583 - 10.xx.xx.15 - INFO [Shibboleth-Audit.SSO:283] -
10.xx.xx.15|2022-05-13T08:14:04.961449Z|2022-05-13T08:14:06.582963Z|testuser|
https://app-de.onetrust.com/saml2|_e9ff7ae27231a0acbbac2862c4a1ede0|password|2022-05-13T06:49:26.386Z|Email,mail,FirstName,onetrust_member,givenName,LastName,sn|||true|true|AES128-GCM|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||Success||eec56c98030e10e226280c5182d6b2acbf5c17323c7f5693d4dc82e1467bac93|Mozilla/5.0
(X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0

What could be wrong? Any hint on where to look?

I never saw before the "Creating BasicSPSession in the absence of necessary
information"  message: what necessary information I'm not passing?

Thanks
Stefano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220513/d05d083f/attachment.htm>

More information about the users mailing list