Sorry I did not see your reply. I just recreated the issue and generated a new dump (see messages). Any insight would be greatly appreciated.
-Dustin
I inspected the logs and saw your IdP XML metadata once again and found out the problem, signature check is failing for assertion. And there are 2 work-around for that problem.
- cnMaestro do not support
KeyDescriptor use="encryption", it only supportsKeyDescriptor use="signing"which will be used for validating assertion signature. For now, If you remove the tagKeyDescriptor use="encryption"it will work. We will improve this behavior in upcoming cnMaestro release. - Or you can disable
Validate Response Signaturein SAML configuration from cnMaestro UI.
I do see in the metadata in the IDP it does have both encryption and signing, so I wonder if the code in cnMaestro sees the encryption one and freaks out. Either way, a fix for that will be great. In the meantime, I have disabled the “Validate Response” option and I have successfully logged in via my IDP.
Thank you so much for the help and your time. Happy Holidays.
-Dustin
Not seeing this in the UI, but does the SAML implementation support SLO (logout via IDP)?