Hello,
I am having trouble getting a new service provider set up. NAM always responds with
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status>
Here is the request sent by the SP:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_d3df52a28f3a7190553fe1ce066e8b078ac19ff4"
Version="2.0"
ProviderName="app SP"
IssueInstant="2023-08-17T15:50:46Z"
Destination="">sso.domain.com/.../sso"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="">dashboard.app.com/.../"
AttributeConsumingServiceIndex="1">
<saml:Issuer>dashboard.app.com/.../saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
I have tested with these options:
SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST = urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
SAML2 REQUEST IGNORE AUTHNCONTEXT = true
IDP initiated auth works.
Any thoughts would be appreciated.
Thanks,
Jeremiah