SAML IDP-initiated : Federation not found on login
I recently set up a lemonldap-ng as an SAML 2.0 IDP Actually making tests for production needs, I'm trying to set up an IDP-initiated workflow with a Cloud service. A user connects himself on the cloud login page with its email address, then he is redirected on my lemonldap IDP with something like:
https://mylemonldap.com/saml/singleSignOn?IDPInitiated=1&sp=https://cloud-apps.com/sps/sp/saml/v2_0
Then, he logs in and gets in return the following error message:
"Une erreur est survenue lors de l'authentification SAML"
In the server logs (debug activated), i can see that my user is well authenticated (found in ldap), gets a session ID, ant that my IDP recognizes the remote SP and that signature is valid. But my user is not redirected to the cloud service.
Here is an extract of the logs:
[Tue Oct 25 14:13:45.392018 2016] [perl:notice] [pid 13741:tid 140299804276480] Lemonldap::NG : Good authentication for myuser@mydomain.com by LDAP (X.X.X.X)
[Tue Oct 25 14:13:45.393404 2016] [perl:notice] [pid 13741:tid 140299804276480] Lemonldap::NG : Session granted for myuser@mydomain.com (X.X.X.X)
[Tue Oct 25 14:13:45.412622 2016] [perl:debug] [pid 13741:tid 140299804276480] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Try to get session 3b8e9c9173772c0fd68f5b2d01fc097b7798b80a9cad9cfc83367c4190c54f3b
[Tue Oct 25 14:13:45.415120 2016] [perl:debug] [pid 13741:tid 140299804276480] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Return session 3b8e9c9173772c0fd68f5b2d01fc097b7798b80a9cad9cfc83367c4190c54f3b
[Tue Oct 25 14:13:45.418525 2016] [perl:debug] [pid 13741:tid 140299804276480] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: URL /saml/singleSignOn detected as an SSO request URL
[Tue Oct 25 14:13:45.418782 2016] [perl:debug] [pid 13741:tid 140299804276480] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: SAML method: HTTP-POST
[Tue Oct 25 14:13:45.418925 2016] [perl:debug] [pid 13741:tid 140299804276480] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Store Mw==\n in hidden key lmhidden_Method
[Tue Oct 25 14:13:45.419458 2016] [perl:debug] [pid 13741:tid 140299804276480] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Found entityID https://cloud-apps.com/sps/sp/saml/v2_0 in SAML message
[Tue Oct 25 14:13:45.419566 2016] [perl:debug] [pid 13741:tid 140299804276480] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: https://cloud-apps.com/sps/sp/saml/v2_0 match SP-LDC-IBM-VERSE SP in configuration
[Tue Oct 25 14:13:45.419927 2016] [perl:debug] [pid 13741:tid 140299804276480] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Signature is valid
[Tue Oct 25 14:13:45.420099 2016] [perl:debug] [pid 13741:tid 140299804276480] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error code 601: Federation not found on login
[Tue Oct 25 15:06:55.911617 2016] [perl:error] [pid 16790:tid 139758789400320] Unable to validate SSO request message
{code}
Making a quick test with another test SP (simplesamlphp), everything works fine. The setup are the same excepted for the metada files in which we noticed those difference:
PROD (cloud) metadata (auth fails)
{code:xml}
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
{code}
In simplesaml metadata file (auth succeeds)
{code:xml}
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>