NameID - aacli and SAML tracer differ
Donald Lohr
lohrda at jmu.edu
Fri Oct 7 13:42:48 UTC 2022
To log into their new instance, we use a jmu specific url, which takes
the browser to their default login page. With a sign in button that
prompts for email address, which identifies our instance's SSO config
and redirects the browser to our Shibboleth IdP login page. Login on our
end is successful, and the browser lands on an error page (Your account
is not authorized. Please contact your administrator.).
Is there any where I can see in shib logs, SAML tracer this NameIDPolicy
forcing they are doing?
Because the vendor is really no help at all.
Thanks,
Don
On 10/7/22 9:20 AM, Cantor, Scott wrote:
> CAUTION: This email originated from outside of JMU. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> ________________________________
>
> When those two don't match, the reason is generally that the SP is forcing a Format via NameIDPolicy. That's the only functional difference between the two seqeuences, you don't have a request in the command line case.
>
> -- Scott
>
>
--
D o n a l d L o h r
I n f o r m a t i o n S y s t e m s
J a m e s M a d i s o n U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221007/103828e8/attachment.htm>
More information about the users
mailing list