NameID - aacli and SAML tracer differ

Donald Lohr lohrda at
Fri Oct 7 13:42:48 UTC 2022

To log into their new instance, we use a jmu specific url, which takes 
the browser to their default login page. With a sign in button that 
prompts for email address, which identifies our instance's SSO config 
and redirects the browser to our Shibboleth IdP login page. Login on our 
end is successful, and the browser lands on an error page (Your account 
is not authorized. Please contact your administrator.).

Is there any where I can see in shib logs, SAML tracer this NameIDPolicy 
forcing they are doing?

Because the vendor is really no help at all.


On 10/7/22 9:20 AM, Cantor, Scott wrote:
> CAUTION: This email originated from outside of JMU. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> ________________________________
> When those two don't match, the reason is generally that the SP is forcing a Format via NameIDPolicy. That's the only functional difference between the two seqeuences, you don't have a request in the command line case.
> -- Scott

D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list