SP Initiated SSO – Unable to do sso or federation

This topic has 1 reply, 2 voices, and was last updated 9 months ago by Andrew Potter.

  • Author
    Posts
  • #28794
     niadsystems
    Participant

    I am using ForgeRock Access Management as the Identity Provider with an ASP.NET Webforms application as the Service Provider. I am doing an SP initiated SSO. SP is setup as a Remoted Identity Provider, and IDP is setup as a hosted Identity Provider. I have set up identities using the embedded OpenDJ identity store.

    The following error is generated in the Federation log after the SP initiates the SSO, and when the IDP is trying to connect to the AssertionConsumerService.

    Any inputs would be appreciated.

    DEBUG: DoManageNameID.removeIDPFedSession trying to remove entity=http://NiadServiceProvider, nameID=MQn1laR0S3KpqCVnB2AiZvklmWy7 from IDP session cache
    o.f.o.s.UtilProxySAMLAuthenticatorLookup: 2022-03-02 17:16:03,024: Thread[http-nio-8080-exec-8]: TransactionId[cee84c25-fa5b-408c-aea6-883ff540f925-548093]
    ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.

    #28795
     Andrew Potter
    Participant

    What NameID format is being requested by the SP?
    Do you have a mapping for that value in the ‘NameID Format List’ in the IDP config?
    See NameID Format List here:
    https://backstage.forgerock.com/docs/am/7.1/saml2-guide/saml2-reference.html#idp-assertion-content

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?