SSO to Asana with Shibboleth IdP resolved more or less

IAM David Bantz dabantz at
Tue Jun 13 00:15:16 UTC 2023

I previously posted on configuring Asana for SAML SSO using Shibb IdP;
Etan E. Weintraub (Johns Hopkins) confirmed it was possible so I plowed
This is followup after getting this (sorta) working.

FYI, in addition to providing no actual metadata, no certificate public key:
Additional issues / anomalies with configuring Asana for SAML SSO:

   1. Initial instructions asked us to configure for an <>
   however on first attempted connection, the request comes from <>
   I changed the entity ID in my cache of SP metadata correspondingy
   2. The SAML request generated requests the users’ browser be sent to an
   ACS end point not previously documented:
   I added that to the cached metadata for this SP
   3. The request indicates the service wants a nameID-format of email
   Added a relying party override to release nameID with that format
   4. Presuming Asana wants users “email address” to be users' canonical
   address = principal name
   I added a saml-nameid override to prefer use of ePPN in constructing the
   5. And, finally, I added an attribute release policy to allow release of
   ePPN to Asana

Those 5 changes enabled the Identity Provider to recognize the service and
prompt fro authN
and successful sign-in to our instance of Asana. No certificate so alas no
encryption and probably
no checking signature of our assertion.

David St Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list