...
NOTE: This service requires signed assertions and responses and will reject assertions where only the assertion itself is signed. This is to help mitigate against signature wrapping attacks and is in compliance with the "SAML V2.0 Implementation Profile for Federation Interoperability" standard published here (specification IIP-SP13).
* Some form of name must be sent. The displayName attribute will be used if it is sent. Otherwise, givenName and sn must be sent and will be concatenated to form the 'Name'.
...
- If you are receiving an error, "opensaml::FatalProfileException", this is regularly caused by the IdP not signing the SAML assertions or responses. Please refer to the "NOTE" segment in the Identity Services SP Service Details section above. Other causes for this error are unverifiable signatures and invalidly formatted assertions.