Sorry I did not see your reply. I just recreated the issue and generated a new dump (see messages). Any insight would be greatly appreciated.
-Dustin
Sorry I did not see your reply. I just recreated the issue and generated a new dump (see messages). Any insight would be greatly appreciated.
-Dustin
I inspected the logs and saw your IdP XML metadata once again and found out the problem, signature check is failing for assertion. And there are 2 work-around for that problem.
KeyDescriptor use="encryption"
, it only supports KeyDescriptor use="signing"
which will be used for validating assertion signature. For now, If you remove the tag KeyDescriptor use="encryption"
it will work. We will improve this behavior in upcoming cnMaestro release.Validate Response Signature
in SAML configuration from cnMaestro UI.I do see in the metadata in the IDP it does have both encryption and signing, so I wonder if the code in cnMaestro sees the encryption one and freaks out. Either way, a fix for that will be great. In the meantime, I have disabled the “Validate Response” option and I have successfully logged in via my IDP.
Thank you so much for the help and your time. Happy Holidays.
-Dustin
Not seeing this in the UI, but does the SAML implementation support SLO (logout via IDP)?