...
NOTE: This service requires signed responses and will reject assertions where only the assertion itself is signed. This is to help mitigate against signature wrapping attacks and is in compliance with the "SAML V2.0 Implementation Profile for Federation Interoperability" standard published here (specification IIP-SP13).
* Some form of name must be sent. The displayName attribute will be used if it is sent. Otherwise, givenName and sn must be sent and will be concatenated to form the 'Name'.
Is your organization in the InCommon federation?
You can look up your home organization here to see what its current status is. It will need to have The presence of the 'Federation' tag for this integration to workwill indicate that you have an IdP in the federation.
You can learn more about joining the InCommon Federation here.
...
There is a wiki page that provides detailed information and instructions on how to configure your IdP to release the R&S attributes to all R&S Service Providers.
Understanding WAYF
We use a 'Where-are-you-from' service that includes multiple federations. To understand more about this, please read the Challenges in Federated WAYF Services white paper.
Troubleshooting
- If you are receiving an error, "opensaml::FatalProfileException", this is regularly caused by a few issues.
- It can be caused by the IdP not signing the SAML responses. Please refer to the "NOTE" segment in the Identity Services SP Service Details section above. Other causes for this error are unverifiable signatures and invalidly formatted assertions.
- It can be caused by the 'SubjectConfirmationData Address' in the '<saml:Subject>' to be set to a non IP address value.