This seems to be a popular error of late. I have tracing enabled, so I can send along that log in it’s entirety if it’ll be helpful. It looks like the values of metadata entityID matches the saml.config name property, which matches the value of Issuer in the response, so … I’m stumped. I’ve used this same code in a half-dozen or more SAML integrations without issue, but I’m really stuck this time around.
iDP metadata (anonymized)
<EntityDescriptor xmlns=“urn:oasis:names:tc:SAML:2.0:metadata”
xmlns:ds=“<a href=“http://www.w3.org/2000/09/xmldsig#””>http://www.w3.org/2000/09/xmldsig#“
xmlns:shibmd=“urn:mace:shibboleth:metadata:1.0”
xmlns:xsi=” “>http://www.w3.org/2001/XMLSchema-instance” entityID=“https://login-test.cc.example.org/idp/shibboleth”>
<shibmd:Scope regexp=“false”>example.org</shibmd:Scope>
ds:KeyInfo
ds:X509Data
ds:X509Certificate
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
<SingleSignOnService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=“”>https://login-test.cc.example.org/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign” Location=“”>https://login-test.cc.example.org/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=“”>https://login-test.cc.example.org/idp/profile/SAML2/Redirect/SSO"/>
My saml.config file - I’ve verified that this is the file being read (based on messages in the trace file):
The response from the idP looks like this (in part - I’ve trimmed signatures, and most of the assertion out)
ID=“_f4fa858382d868a92357cd2894bd194f”InResponseTo=“_3a733731-7104-4b94-9c99-3992a41bd45f”IssueInstant=“2019-02-01T19:12:24.427Z”Version=“2.0”xmlns:saml2p=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml2:Issuer xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>https://login-test.cc.example.org/idp/shibboleth</saml2:Issuer>
saml2p:Status
<saml2p:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success” />
</saml2p:Status>
<saml2:Assertion ID=“_cbf3eb4e952aeed9a509fda1a6af1bd1”
IssueInstant=“2019-02-01T19:12:24.427Z”
Version=“2.0”
xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>
saml2:Issuerhttps://login-test.cc.example.org/idp/shibboleth</saml2:Issuer>