## Expected behavior The idea is to use our Gluu Server as IdP Provider for Office365 (AzureAD) with Federated Authentication. Workflow: 1. User go to https://portal.office.com (or other webpage from Microsoft 365) 2. Insert his Username (e.g. user@gluu.idp) 3. Microsoft forward the user to the Gluu SAML Login page 4. User Login with his Gluu Account 5. User is logged in in Office365 with SAML I followed the current configuration guide: https://gluu.org/docs/gluu-server/4.2/integration/saas/office/ ## Acctual behavior The Federated Authentication works as expected. The user can insert his username and will be forwarded to the Gluu SAML Login page. The user is successfully authenticated in Gluu, but the SAML login in Office365 not working. ## Minimized example The example is in the Expected behavior included. ## Configuration and Logfiles The configuration file are the same as in the guide (I copy&past it). In the logfiles I get the following errors: */opt/shibboleth-idp/logs/idp-process.log* ``` net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 19; columnNumber: 57; cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:377) Caused by: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 19; columnNumber: 57; cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:400) Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204) 2021-03-15 23:27:16,412 - - INFO [net.shibboleth.utilities.java.support.service.AbstractReloadableService:259] - Service 'shibboleth.AttributeResolverService': Reloading service configuration 2021-03-15 23:27:16,420 - - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:232] - Service 'shibboleth.AttributeResolverService': Reload for shibboleth.AttributeResolverService failed net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 19; columnNumber: 57; cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:377) Caused by: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 19; columnNumber: 57; cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:400) Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204) 2021-03-15 23:42:16,412 - - INFO [net.shibboleth.utilities.java.support.service.AbstractReloadableService:259] - Service 'shibboleth.AttributeResolverService': Reloading service configuration 2021-03-15 23:42:16,421 - - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:232] - Service 'shibboleth.AttributeResolverService': Reload for shibboleth.AttributeResolverService failed net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 19; columnNumber: 57; cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:377) Caused by: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 19; columnNumber: 57; cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:400) Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204) 2021-03-15 23:57:16,412 - - INFO [net.shibboleth.utilities.java.support.service.AbstractReloadableService:259] - Service 'shibboleth.AttributeResolverService': Reloading service configuration 2021-03-15 23:57:16,440 - - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:232] - Service 'shibboleth.AttributeResolverService': Reload for shibboleth.AttributeResolverService failed net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 19; columnNumber: 57; cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:377) Caused by: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 19; columnNumber: 57; cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:400) Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'AttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector}' is expected. at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204) ``` If I try a login I get the following output in the log: */opt/shibboleth-idp/logs/idp-process.log* ``` 2021-03-15 22:25:01,718 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder:88] - Decoded SAML relay state of: estsredirect=2&estsrequest=rQIIAYWSS4sjdRTF8-hO9zSorYgOLqQXCiJUpd6PhoGpTlWnk9S_apJUpVJZTKjU-52uR1KpTzCrYZzlbASX40JxJYLo1l7ILMWlIIJuZDaKuDDtF5jN4Z5z7-Jc-J0cUTADIzDycRuF0fMPCJwgDXrFQqxB4RDBoghkEBgF4SRO4RiCWiSCZ2-dnP7j_bR577cfuE8fflf--OXnHz5vvu8VxTo_73a32y2cOo5v2rCZxt3ISCw_cb9uNl80m89ah3YCqdPnrZzCaRIlCJxhUQplEZZh4IUiIFKtEnrgFiBWK7mHIECRIlEJK1kxC0kxKxBEMdAGla4BVIonPsAmvh7sd_UYA_t7WZuEouLF_2e8uQW8u5P4kJT7AP-59YbMlYWH3Uqa-bX9snXHSbN4uU7z4ln7j5YZDsT-pcqW_pxWVVsr0nwkXIVrrLpAdw4gsLXYA4sr10LztUyVc3xSR_gOZLKYVlqq8IsHTpWUOL0EpJTtGIAVV4jC1RpmeDtF1OLJnJ3EDsGqc1vYFgLnqR7iBqRj4MmIt6ISqbUYbCiHGtuio9OGgI9HIFgavrYiLhJylpvaKLscp9WMpS3dG_IzS69pM860WYTM0VXORHkGcUJCgRXKGHu7yLZ9nNCLcVX2IGPfcrQcQQrEiJfXYZKzSpyUG3ZI9DXLXE7n_ZyeDPjUJSopjAOG48dOGeFAZNdDLkQxcT24xja7B2N1nk2v_cKYzAXKownncr7Q02KgadPQ75EluUyT3ZRzVXkgz0R5xiW1reObwHIzVh2E2P4T5Kt2Z49HnCY37dfTtZ341tk6Sx0_sn9pv7tnJjc9-35h5wV8O2V2Bsf2i4Pm7wfvHHdOj-82zhofvY20z4-PT04bt-7vg-Znh3syo7PHn_z169P73x598e_wKWjcHHbVYdwVerUeYJ5arwbjxfTCwPBumTtoQK1c0i29XU9IZtN-eI89R590mk86nZvOmwN-KQnKVOEknpvw2BL5s9N8dNT45s4rWP_-tcZ_0 2021-03-15 22:25:01,719 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder:117] - Getting Base64 encoded message from request 2021-03-15 22:25:01,720 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder:96] - Decoded SAML message 2021-03-15 22:25:01,720 - 172.16.20.30 - DEBUG [PROTOCOL_MESSAGE:124] - <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_30073957-01d2-4081-990d-c0a6745f7793" IssueInstant="2021-03-15T22:24:59.253Z" Version="2.0"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> </samlp:AuthnRequest> 2021-03-15 22:25:01,722 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler' on INBOUND message context 2021-03-15 22:25:01,722 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,723 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml1.binding.impl.SAML1ArtifactRequestIssuerHandler' on INBOUND message context 2021-03-15 22:25:01,723 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,723 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler' on INBOUND message context 2021-03-15 22:25:01,724 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,725 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler' on INBOUND message context 2021-03-15 22:25:01,725 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,725 - 172.16.20.30 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:178] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Resolved 1 candidates via EntityIdCriterion: EntityIdCriterion [id=urn:federation:MicrosoftOnline] 2021-03-15 22:25:01,725 - 172.16.20.30 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:610] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Attempting to filter candidate EntityDescriptors via resolved Predicates 2021-03-15 22:25:01,726 - 172.16.20.30 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:632] - Metadata Resolver FilesystemMetadataResolver SiteSP1: After predicate filtering 1 EntityDescriptors remain 2021-03-15 22:25:01,726 - 172.16.20.30 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:267] - Resolved 1 source EntityDescriptors 2021-03-15 22:25:01,726 - 172.16.20.30 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:277] - Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering 2021-03-15 22:25:01,726 - 172.16.20.30 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:378] - Attempting to filter candidate RoleDescriptors via resolved Predicates 2021-03-15 22:25:01,726 - 172.16.20.30 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:400] - After predicate filtering 1 RoleDescriptors remain 2021-03-15 22:25:01,726 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:183] - Message Handler: org.opensaml.saml.common.messaging.context.SAMLMetadataContext added to MessageContext as child of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext 2021-03-15 22:25:01,727 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context 2021-03-15 22:25:01,727 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,727 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:154] - Message Handler: Selecting default AttributeConsumingService, if any 2021-03-15 22:25:01,727 - 172.16.20.30 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:186] - Resolving AttributeConsumingService candidates from SPSSODescriptor 2021-03-15 22:25:01,727 - 172.16.20.30 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:141] - AttributeConsumingService candidate list was empty, can not select service 2021-03-15 22:25:01,727 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:163] - Message Handler: No AttributeConsumingService selected 2021-03-15 22:25:01,728 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:131] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer urn:federation:MicrosoftOnline 2021-03-15 22:25:01,728 - 172.16.20.30 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:249] - Resolving relying party configuration 2021-03-15 22:25:01,728 - 172.16.20.30 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:261] - Checking if relying party configuration EntityNames[urn:federation:MicrosoftOnline,] is applicable 2021-03-15 22:25:01,729 - 172.16.20.30 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:263] - Relying party configuration EntityNames[urn:federation:MicrosoftOnline,] is applicable 2021-03-15 22:25:01,729 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration EntityNames[urn:federation:MicrosoftOnline,] for request 2021-03-15 22:25:01,732 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:116] - Profile Action PopulateProfileInterceptorContext: Installing flow intercept/security-policy/saml2-sso into interceptor context 2021-03-15 22:25:01,733 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do 2021-03-15 22:25:01,734 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/security-policy/saml2-sso for applicability... 2021-03-15 22:25:01,734 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow intercept/security-policy/saml2-sso 2021-03-15 22:25:01,736 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler' on INBOUND message context 2021-03-15 22:25:01,736 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,736 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:156] - Message Handler: Checking SAML message intended destination endpoint against receiver endpoint 2021-03-15 22:25:01,736 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:175] - Message Handler: SAML message intended destination endpoint was empty, not required by binding, skipping 2021-03-15 22:25:01,738 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler' on INBOUND message context 2021-03-15 22:25:01,738 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,738 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler:154] - Message Handler: Evaluating message replay for message ID '_30073957-01d2-4081-990d-c0a6745f7793', issue instant '2021-03-15T22:24:59.253Z', entityID 'urn:federation:MicrosoftOnline' 2021-03-15 22:25:01,739 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler' on INBOUND message context 2021-03-15 22:25:01,739 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,740 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler' on INBOUND message context 2021-03-15 22:25:01,740 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,741 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:82] - SPSSODescriptor for entity ID 'urn:federation:MicrosoftOnline' does not require AuthnRequests to be signed 2021-03-15 22:25:01,742 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler' on INBOUND message context 2021-03-15 22:25:01,742 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,742 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:103] - Message Handler: SAML protocol message was not signed, skipping XML signature processing 2021-03-15 22:25:01,743 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler' on INBOUND message context 2021-03-15 22:25:01,743 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,743 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:149] - Message Handler: Evaluating simple signature rule of type: org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler 2021-03-15 22:25:01,743 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:152] - Message Handler: Handler can not handle this request, skipping 2021-03-15 22:25:01,748 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler' on INBOUND message context 2021-03-15 22:25:01,749 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,749 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:149] - Message Handler: Evaluating simple signature rule of type: org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler 2021-03-15 22:25:01,749 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:158] - Message Handler: HTTP request was not signed via simple signature mechanism, skipping 2021-03-15 22:25:01,750 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.messaging.handler.impl.CheckMandatoryIssuer' on INBOUND message context 2021-03-15 22:25:01,750 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,751 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.WriteProfileInterceptorResultToStorage:69] - Profile Action WriteProfileInterceptorResultToStorage: No results available from interceptor context, nothing to store 2021-03-15 22:25:01,751 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:65] - Profile Action SelectProfileInterceptorFlow: Moving completed flow intercept/security-policy/saml2-sso to completed set, selecting next one 2021-03-15 22:25:01,752 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80] - Profile Action SelectProfileInterceptorFlow: No flows available to choose from 2021-03-15 22:25:01,752 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeOutboundMessageContext:153] - Profile Action InitializeOutboundMessageContext: Initialized outbound message context 2021-03-15 22:25:01,754 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:385] - Profile Action PopulateBindingAndEndpointContexts: Attempting to resolve endpoint of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService for outbound message 2021-03-15 22:25:01,754 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:518] - Profile Action PopulateBindingAndEndpointContexts: Populating template endpoint for resolution from SAML AuthnRequest 2021-03-15 22:25:01,754 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.AbstractEndpointResolver:218] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Returning 3 candidate endpoints of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService 2021-03-15 22:25:01,755 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:428] - Profile Action PopulateBindingAndEndpointContexts: Resolved endpoint at location https://login.microsoftonline.com/login.srf using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2021-03-15 22:25:01,755 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:382] - No AttributeConsumingService was resolved, won't be able to determine delegation requested status via metadata 2021-03-15 22:25:01,756 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:515] - No AttributeConsumingService was available 2021-03-15 22:25:01,756 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:500] - Delegation request was not explicitly indicated, using default value: NOT_REQUESTED 2021-03-15 22:25:01,756 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:289] - Issuance of a delegated Assertion is not in effect, skipping further processing 2021-03-15 22:25:01,757 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:213] - Profile Action PopulateSignatureSigningParameters: Signing not enabled 2021-03-15 22:25:01,759 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:210] - Profile Action PopulateSignatureSigningParameters: Signing enabled 2021-03-15 22:25:01,760 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:192] - Message Handler: Signing enabled 2021-03-15 22:25:01,760 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:204] - Message Handler: Resolving SignatureSigningParameters for request 2021-03-15 22:25:01,760 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:234] - Message Handler: Adding metadata to resolution criteria for signing/digest algorithms 2021-03-15 22:25:01,761 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:245] - Message Handler: Resolved SignatureSigningParameters 2021-03-15 22:25:01,762 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:286] - Profile Action PopulateEncryptionParameters: No encryption requested, nothing to do 2021-03-15 22:25:01,764 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:143] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing 2021-03-15 22:25:01,765 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.profile.impl.VerifyChannelBindings:156] - Profile Action VerifyChannelBindings: No channel bindings found to verify, nothing to do 2021-03-15 22:25:01,767 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.impl.ExtractProxiedRequestersHandler' on INBOUND message context 2021-03-15 22:25:01,767 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2021-03-15 22:25:01,768 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:226] - Profile Action InitializeAuthenticationContext: AuthnRequest did not contain Scoping, nothing to do 2021-03-15 22:25:01,769 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:210] - Profile Action InitializeAuthenticationContext: Created authentication context: AuthenticationContext{initiationInstant=2021-03-15T22:25:01.768913Z, isPassive=false, forceAuthn=false, hintedName=null, maxAge=null, potentialFlows=[], activeResults=[], attemptedFlow=null, signaledFlowId=null, authenticationStateMap={}, resultCacheable=true, authenticationResult=null, completionInstant=null} 2021-03-15 22:25:01,770 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.ProcessRequestedAuthnContext:167] - Profile Action ProcessRequestedAuthnContext: AuthnRequest did not contain a RequestedAuthnContext, nothing to do 2021-03-15 22:25:01,771 - 172.16.20.30 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:215] - Profile Action PopulateAuthenticationContext: Installed 1 potential authentication flows into AuthenticationContext 2021-03-15 22:25:01,771 - 172.16.20.30 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:811] - Performing primary lookup on session ID 7b6f55f9030e0168a75dbe1c6be4521c072a0f7c87a98ba558d82da4d1d2b640 2021-03-15 22:25:01,775 - 172.16.20.30 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedIdPSession:88] - Updating expiration of master record for session 7b6f55f9030e0168a75dbe1c6be4521c072a0f7c87a98ba558d82da4d1d2b640 to 2021-03-16T23:25:01.775373Z 2021-03-15 22:25:01,786 - 172.16.20.30 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedIdPSession:545] - Loading AuthenticationResult for flow authn/oxAuth in session 7b6f55f9030e0168a75dbe1c6be4521c072a0f7c87a98ba558d82da4d1d2b640 2021-03-15 22:25:01,791 - 172.16.20.30 - DEBUG [net.shibboleth.idp.session.impl.ExtractActiveAuthenticationResults:134] - Profile Action ExtractActiveAuthenticationResults: Authentication result authn/oxAuth is active, copying from session 2021-03-15 22:25:01,792 - 172.16.20.30 - DEBUG [net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] - Profile Action InitializeRequestedPrincipalContext: Profile configuration did not supply any default authentication methods 2021-03-15 22:25:01,793 - 172.16.20.30 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:57] - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do 2021-03-15 22:25:01,793 - 172.16.20.30 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:57] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do 2021-03-15 22:25:01,794 - 172.16.20.30 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:274] - Profile Action SelectAuthenticationFlow: No specific Principals requested 2021-03-15 22:25:01,794 - 172.16.20.30 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:385] - Profile Action SelectAuthenticationFlow: Reusing active result authn/oxAuth 2021-03-15 22:25:01,795 - 172.16.20.30 - DEBUG [net.shibboleth.idp.authn.impl.FinalizeAuthentication:125] - Profile Action FinalizeAuthentication: Canonical principal name established from session as 'andsche' 2021-03-15 22:25:01,795 - 172.16.20.30 - DEBUG [net.shibboleth.idp.authn.impl.FinalizeAuthentication:175] - Profile Action FinalizeAuthentication: Request did not have explicit authentication requirements, result is accepted 2021-03-15 22:25:01,796 - 172.16.20.30 - DEBUG [net.shibboleth.idp.session.impl.UpdateSessionWithAuthenticationResult:206] - Profile Action UpdateSessionWithAuthenticationResult: Updating activity time on reused AuthenticationResult for flow authn/oxAuth in existing session 7b6f55f9030e0168a75dbe1c6be4521c072a0f7c87a98ba558d82da4d1d2b640 2021-03-15 22:25:01,808 - 172.16.20.30 - ERROR [net.shibboleth.idp.profile.impl.ResolveAttributes:276] - Profile Action ResolveAttributes: Error resolving attributes: Invalid Attribute resolver configuration 2021-03-15 22:25:01,809 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.FilterAttributes:332] - Profile Action FilterAttributes: No attribute context, no attributes to filter 2021-03-15 22:25:01,813 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.impl.AbstractResponseShellAction:216] - Profile Action AddStatusResponseShell: Setting Issuer to https://idp.feuerwehr-effi.ch/idp/shibboleth 2021-03-15 22:25:01,815 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.profile.impl.AddInResponseToToResponse:107] - Profile Action AddInResponseToToResponse: Attempting to add InResponseTo to outgoing Response 2021-03-15 22:25:01,818 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.BaseAddAuthenticationStatementToAssertion:209] - Profile Action AddAuthnStatementToAssertion: Attempting to add an AuthenticationStatement to outgoing Assertion 2021-03-15 22:25:01,818 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.SAML2ActionSupport:78] - Profile Action AddAuthnStatementToAssertion: Created Assertion _b0ef9a72eeee375de0141628faf12ea2 2021-03-15 22:25:01,819 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.SAML2ActionSupport:102] - Profile Action AddAuthnStatementToAssertion: Added Assertion _b0ef9a72eeee375de0141628faf12ea2 to Response _49ba9d5bd987fbc5f0747bd713af2885 2021-03-15 22:25:01,819 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAuthnStatementToAssertion:169] - Profile Action AddAuthnStatementToAssertion: Added AuthenticationStatement to Assertion _b0ef9a72eeee375de0141628faf12ea2 2021-03-15 22:25:01,822 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.BaseAddAttributeStatementToAssertion:275] - Profile Action AddAttributeStatementToAssertion: Attempting to add an AttributeStatement to outgoing Assertion 2021-03-15 22:25:01,823 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.BaseAddAttributeStatementToAssertion:293] - Profile Action AddAttributeStatementToAssertion: No AttributeSubcontext available, nothing to do 2021-03-15 22:25:01,825 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:284] - Profile Action AddNameIDToSubjects: Attempting to add NameID to outgoing Assertion Subjects 2021-03-15 22:25:01,826 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:314] - Profile Action AddNameIDToSubjects: Request specified NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 2021-03-15 22:25:01,826 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:393] - Profile Action AddNameIDToSubjects: Trying to generate NameID with Format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 2021-03-15 22:25:01,826 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.profile.impl.ChainingNameIdentifierGenerator:103] - Trying to generate identifier with Format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 2021-03-15 22:25:01,827 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.nameid.impl.PersistentSAML2NameIDGenerator:223] - No attribute context, can't generate persistent ID 2021-03-15 22:25:01,827 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.AbstractSAML2NameIDGenerator:91] - No identifier to use 2021-03-15 22:25:01,827 - 172.16.20.30 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 2021-03-15 22:25:01,830 - 172.16.20.30 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy 2021-03-15 22:25:01,831 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:172] - Error event InvalidNameIDPolicy will be handled with response 2021-03-15 22:25:01,832 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.impl.AbstractResponseShellAction:216] - Profile Action AddStatusResponseShell: Setting Issuer to https://idp.feuerwehr-effi.ch/idp/shibboleth 2021-03-15 22:25:01,834 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.profile.impl.AddInResponseToToResponse:107] - Profile Action AddInResponseToToResponse: Attempting to add InResponseTo to outgoing Response 2021-03-15 22:25:01,838 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddStatusToResponse:191] - Profile Action AddStatusToResponse: Detailed errors are enabled 2021-03-15 22:25:01,842 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddStatusToResponse:230] - Profile Action AddStatusToResponse: Current state of request was not mappable, setting StatusMessage to defaulted value 2021-03-15 22:25:01,849 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.messaging.handler.impl.BasicMessageHandlerChain' on OUTBOUND message context 2021-03-15 22:25:01,850 - 172.16.20.30 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.ResponseImpl' 2021-03-15 22:25:01,850 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLOutboundDestinationHandler:62] - Adding destination to outbound SAML 2 protocol message: https://login.microsoftonline.com/login.srf 2021-03-15 22:25:01,850 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.EndpointURLSchemeSecurityHandler:52] - Message Handler: Checking outbound endpoint for allowed URL scheme: https://login.microsoftonline.com/login.srf 2021-03-15 22:25:01,850 - 172.16.20.30 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLOutboundProtocolMessageSigningHandler:85] - Message Handler: Message context did not contain signing parameters, outbound message will not be signed 2021-03-15 22:25:01,851 - 172.16.20.30 - DEBUG [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:78] - Looking up message encoder based on binding URI: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2021-03-15 22:25:01,852 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:160] - Invoking Velocity template to create POST body 2021-03-15 22:25:01,852 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:194] - Encoding action url of 'https://login.microsoftonline.com/login.srf' with encoded value 'https://login.microsoftonline.com/login.srf' 2021-03-15 22:25:01,852 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:200] - Marshalling and Base64 encoding SAML message 2021-03-15 22:25:01,854 - 172.16.20.30 - WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:95] - Relay state exceeds 80 bytes: estsredirect=2&estsrequest=rQIIAYWSS4sjdRTF8-hO9zSorYgOLqQXCiJUpd6PhoGpTlWnk9S_apJUpVJZTKjU-52uR1KpTzCrYZzlbASX40JxJYLo1l7ILMWlIIJuZDaKuDDtF5jN4Z5z7-Jc-J0cUTADIzDycRuF0fMPCJwgDXrFQqxB4RDBoghkEBgF4SRO4RiCWiSCZ2-dnP7j_bR577cfuE8fflf--OXnHz5vvu8VxTo_73a32y2cOo5v2rCZxt3ISCw_cb9uNl80m89ah3YCqdPnrZzCaRIlCJxhUQplEZZh4IUiIFKtEnrgFiBWK7mHIECRIlEJK1kxC0kxKxBEMdAGla4BVIonPsAmvh7sd_UYA_t7WZuEouLF_2e8uQW8u5P4kJT7AP-59YbMlYWH3Uqa-bX9snXHSbN4uU7z4ln7j5YZDsT-pcqW_pxWVVsr0nwkXIVrrLpAdw4gsLXYA4sr10LztUyVc3xSR_gOZLKYVlqq8IsHTpWUOL0EpJTtGIAVV4jC1RpmeDtF1OLJnJ3EDsGqc1vYFgLnqR7iBqRj4MmIt6ISqbUYbCiHGtuio9OGgI9HIFgavrYiLhJylpvaKLscp9WMpS3dG_IzS69pM860WYTM0VXORHkGcUJCgRXKGHu7yLZ9nNCLcVX2IGPfcrQcQQrEiJfXYZKzSpyUG3ZI9DXLXE7n_ZyeDPjUJSopjAOG48dOGeFAZNdDLkQxcT24xja7B2N1nk2v_cKYzAXKownncr7Q02KgadPQ75EluUyT3ZRzVXkgz0R5xiW1reObwHIzVh2E2P4T5Kt2Z49HnCY37dfTtZ341tk6Sx0_sn9pv7tnJjc9-35h5wV8O2V2Bsf2i4Pm7wfvHHdOj-82zhofvY20z4-PT04bt-7vg-Znh3syo7PHn_z169P73x598e_wKWjcHHbVYdwVerUeYJ5arwbjxfTCwPBumTtoQK1c0i29XU9IZtN-eI89R590mk86nZvOmwN-KQnKVOEknpvw2BL5s9N8dNT45s4rWP_-tcZ_0 2021-03-15 22:25:01,855 - 172.16.20.30 - DEBUG [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:225] - Setting RelayState parameter to: 'estsredirect=2&estsrequest=rQIIAYWSS4sjdRTF8-hO9zSorYgOLqQXCiJUpd6PhoGpTlWnk9S_apJUpVJZTKjU-52uR1KpTzCrYZzlbASX40JxJYLo1l7ILMWlIIJuZDaKuDDtF5jN4Z5z7-Jc-J0cUTADIzDycRuF0fMPCJwgDXrFQqxB4RDBoghkEBgF4SRO4RiCWiSCZ2-dnP7j_bR577cfuE8fflf--OXnHz5vvu8VxTo_73a32y2cOo5v2rCZxt3ISCw_cb9uNl80m89ah3YCqdPnrZzCaRIlCJxhUQplEZZh4IUiIFKtEnrgFiBWK7mHIECRIlEJK1kxC0kxKxBEMdAGla4BVIonPsAmvh7sd_UYA_t7WZuEouLF_2e8uQW8u5P4kJT7AP-59YbMlYWH3Uqa-bX9snXHSbN4uU7z4ln7j5YZDsT-pcqW_pxWVVsr0nwkXIVrrLpAdw4gsLXYA4sr10LztUyVc3xSR_gOZLKYVlqq8IsHTpWUOL0EpJTtGIAVV4jC1RpmeDtF1OLJnJ3EDsGqc1vYFgLnqR7iBqRj4MmIt6ISqbUYbCiHGtuio9OGgI9HIFgavrYiLhJylpvaKLscp9WMpS3dG_IzS69pM860WYTM0VXORHkGcUJCgRXKGHu7yLZ9nNCLcVX2IGPfcrQcQQrEiJfXYZKzSpyUG3ZI9DXLXE7n_ZyeDPjUJSopjAOG48dOGeFAZNdDLkQxcT24xja7B2N1nk2v_cKYzAXKownncr7Q02KgadPQ75EluUyT3ZRzVXkgz0R5xiW1reObwHIzVh2E2P4T5Kt2Z49HnCY37dfTtZ341tk6Sx0_sn9pv7tnJjc9-35h5wV8O2V2Bsf2i4Pm7wfvHHdOj-82zhofvY20z4-PT04bt-7vg-Znh3syo7PHn_z169P73x598e_wKWjcHHbVYdwVerUeYJ5arwbjxfTCwPBumTtoQK1c0i29XU9IZtN-eI89R590mk86nZvOmwN-KQnKVOEknpvw2BL5s9N8dNT45s4rWP_-tcZ_0', encoded as 'estsredirect=2&estsrequest=rQIIAYWSS4sjdRTF8-hO9zSorYgOLqQXCiJUpd6PhoGpTlWnk9S_apJUpVJZTKjU-52uR1KpTzCrYZzlbASX40JxJYLo1l7ILMWlIIJuZDaKuDDtF5jN4Z5z7-Jc-J0cUTADIzDycRuF0fMPCJwgDXrFQqxB4RDBoghkEBgF4SRO4RiCWiSCZ2-dnP7j_bR577cfuE8fflf--OXnHz5vvu8VxTo_73a32y2cOo5v2rCZxt3ISCw_cb9uNl80m89ah3YCqdPnrZzCaRIlCJxhUQplEZZh4IUiIFKtEnrgFiBWK7mHIECRIlEJK1kxC0kxKxBEMdAGla4BVIonPsAmvh7sd_UYA_t7WZuEouLF_2e8uQW8u5P4kJT7AP-59YbMlYWH3Uqa-bX9snXHSbN4uU7z4ln7j5YZDsT-pcqW_pxWVVsr0nwkXIVrrLpAdw4gsLXYA4sr10LztUyVc3xSR_gOZLKYVlqq8IsHTpWUOL0EpJTtGIAVV4jC1RpmeDtF1OLJnJ3EDsGqc1vYFgLnqR7iBqRj4MmIt6ISqbUYbCiHGtuio9OGgI9HIFgavrYiLhJylpvaKLscp9WMpS3dG_IzS69pM860WYTM0VXORHkGcUJCgRXKGHu7yLZ9nNCLcVX2IGPfcrQcQQrEiJfXYZKzSpyUG3ZI9DXLXE7n_ZyeDPjUJSopjAOG48dOGeFAZNdDLkQxcT24xja7B2N1nk2v_cKYzAXKownncr7Q02KgadPQ75EluUyT3ZRzVXkgz0R5xiW1reObwHIzVh2E2P4T5Kt2Z49HnCY37dfTtZ341tk6Sx0_sn9pv7tnJjc9-35h5wV8O2V2Bsf2i4Pm7wfvHHdOj-82zhofvY20z4-PT04bt-7vg-Znh3syo7PHn_z169P73x598e_wKWjcHHbVYdwVerUeYJ5arwbjxfTCwPBumTtoQK1c0i29XU9IZtN-eI89R590mk86nZvOmwN-KQnKVOEknpvw2BL5s9N8dNT45s4rWP_-tcZ_0' 2021-03-15 22:25:01,860 - 172.16.20.30 - DEBUG [PROTOCOL_MESSAGE:70] - <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://login.microsoftonline.com/login.srf" ID="_de401eb745e01a2c098f32d433740bf8" InResponseTo="_30073957-01d2-4081-990d-c0a6745f7793" IssueInstant="2021-03-15T22:25:01.832Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.feuerwehr-effi.ch/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/> </saml2p:StatusCode> <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage> </saml2p:Status> </saml2p:Response> ``` I googled it a lot but I can't found any solution or tip to solve this issue. It would be great if someone has the time to help me out. Thank you very much in advance.