[root@idp-dev shibboleth-idp]# pwd /opt/shibboleth-idp [root@idp-dev shibboleth-idp]# [root@idp-dev shibboleth-idp]# ls bin conf credentials doc flows lib LICENSE.txt logs messages metadata sp system temp_metadata views webapp There does not appear to be an 'ssl' directory

"Download Shibboleth3 configuration files" feature is obsolete and will be deleted from Gluu very soon. Why you need those files anyway?

The idp-metadata.xml file is used to load back into the Tableau configuration to complete the trust relationship.

IDP's metadata is not inside that zip file. You can load your IDP's metadata from `https://<Gluu_server>/idp/shibboleth` OR from file system: `~inside_container/opt/shibboleth-idp/metadata`.

Under Gluu 3.X we used to have the following in the .zip file: shibboleth3-configuration % ls README_SP.pdf README_SP_windows.pdf attribute-map.xml idp-metadata.xml shibboleth2.xml sp-metadata.xml You can see the idp-metadata.xml file. Let me look to see you two suggestions to retrieving the metadata. As long as I can retrieve it, I will be happy either way. Thanks

I was able to download the file from the server and import it. Now, I get a 500 error and the following in the logs: ``` ==> idp-process.log <== 2022-07-29 01:35:27,463 - 10.92.81.74 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91] - org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172) Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended? at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126) ``` ``` ==> idp-warn.log <== 2022-07-29 01:35:27,463 - 10.92.81.74 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91] - org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172) at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getLock(AbstractFlowExecutionRepository.java:125) at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:164) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended? at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126) at org.springframework.webflow.conversation.impl.SessionBindingConversationManager.getConversation(SessionBindingConversationManager.java:117) ```

``` NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. ``` That might depends on lot of things: - What type of Gluu Server you are using. Is it clustered? Is it k8s? Is it just CE? Any type of load balancer infront of it? Any proxy server involved? - What type of oxAuth authentication method you are using? "Manage Authentication" section of Gluu Server. - Can your Gluu Server has full access ( network access ) to SP and vice versa?

It is a standalone Gluu 4.4.0 installation on CentOS 7.8 (Community Edition) No load balancer in front of the Gluu server or proxy. oxTrust authentication mode: simple_password_auth (which is the default) I have the Authentication mode: set to my custom script that we were using under 3.X but updated the library names. Yes, both the Gluu server and SP are on the same network and have full network protocol access between nodes.

>> I have the Authentication mode: set to my custom script that we were using under 3.X but updated the library names. Change it to default "simple_password_auth", see if anything changes or not. If that doesn't change, check for any indication in idp-process.log and oxauth.log. You can make them DEBUG if you want.

Changed it to default "simple_password_auth" This failed as well: oxauth.log: Caused by: org.gluu.persist.exception.operation.SearchException: Failed to lookup entry by DN: 'oxId=8d2cf515-6e32-4072-9dbd-6d0a14b5a34e,ou=sessions,o=gluu' at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.lookupImpl(LdapOperationServiceImpl.java:629) ~[gluu-orm-ldap-4.4.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.lookup(LdapOperationServiceImpl.java:605) ~[gluu-orm-ldap-4.4.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.find(LdapEntryManager.java:399) ~[gluu-orm-ldap-4.4.0.Final.jar:?] ... 93 more 2022-07-30 13:41:37,176 ERROR [qtp934275857-67] [org.gluu.oxauth.service.SessionIdService] (SessionIdService.java:793) - Failed to get session by dn: oxId=8d2cf515-6e32-4072-9dbd-6d0a14b5a34e,ou=sessions,o=gluu org.gluu.persist.exception.EntryPersistenceException: Failed to find entry: oxId=8d2cf515-6e32-4072-9dbd-6d0a14b5a34e,ou=sessions,o=gluu idp-process.log: 2022-07-30 13:42:40,199 - 10.92.81.74 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91] - org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172) Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended? at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126) How do I set it to DEBUG mode?

I turned on DEBUG and emailed you the two logs.

Were you able to see anything from the DEBUG logs provided?

Hi, I checked your log and two things interesting .... 1. ``` Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/oxAuth ``` Question: What kind of authentication flow this SP want? Is it IDP-initiated Single Sign On? 2. ``` Failed to lookup entry by DN: 'oxId=8d2cf515-6e32-4072-9dbd-6d0a14b5a34e,ou=sessions,o=gluu' ``` This SP certainly depending on old session to login. Which shouldn't be the normal flow. Can you please share a full recorded screencast?

How do you want a screencast recorded? Do you have something to do the recording you need? This is Tableau initiated – user connects to Tableau, and that is redirected to Gluu IDP. For this scenario, I am just using the same simple_password_auth (to eliminate any issues with my own script). If I hit my URL endpoint for Tableau: https://analytics-dev.work.local/access/ I have included all the log outputs from the logs in /opt/shibboleth-idp/logs directory (shibboleth.log). I also included the output from Chrome for the session – More Tools -> Developer -> Network and the output was exported as analytics-dev.work.local.har. This can be loaded into Chrome in the Developer->Network screen: Click on the up arrow on the right hand side under the ‘y’ in Memory above. I have provided Zico the images and log files associated with this since I can't attach to the ticket.

Images and Logs attached

Any feedback to the logs and images provided? We are still stuck at the same issue.

Hi Lindsay, Can you please share your Tableau config which pointing your Gluu Server? I see Tableau is using HTTP-POST SSO binding url but ideally Shibboleth SP should use HTTP-Redirect SSO binding url.

I have uploaded the saml_sp_metadata.xml file from Tableau and the idp-metadata.xml files from Gluu for review

Not metadata. There must be some "config page" where you configured Gluu's endpoints in your SP, I would like to see that if possible please.

Added saml_tableau screen shot for the configuration. Essentially, you click the export metadata button, that generates the saml_sp_metadata.xml file. This is imported into Gluu. After Gluu creates the trust item, you then pull the xml that we discussed earlier from Gluu (Shibboleth) and import that into Tableau and that is the idp-metadata.xml file. This completes the configuration.

Ok. Check / Talk with Tableau then how to apply [this](https://support.gluu.org/identity-management/10677/cannot-download-shibboleth3-configuration-files/#at78146) modification.

What modification are you talking about? "Can you please share your Tableau config which pointing your Gluu Server? I see Tableau is using HTTP-POST SSO binding url but ideally Shibboleth SP should use HTTP-Redirect SSO binding url." Are you looking at something specific in the saml_sp_metadata.xml file that Tableau generates that looks incorrect to you?

No, not in metadata but in configuration. Attaching a screenshot from your config. If you expand / click here, what you see?

I have uploaded the config screens from Tableau to the Google Drive link used above. You will see there, is NO configuration options from them apart from downloading the saml metadata xml file that is imported into Gluu. This is why I was asking what you were seeing was wrong in the file. At this stage in the process, we export it from Tableau, import the file into Gluu trust, then grab the idp-metadata from the Gluu server and that establishes the trust between both sides.

Are you refering to this from the saml_sp_metadata.xml file? <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://analytics-dev.work.local/samlservice/public/sp/SSO?alias=ca78fb4c-1b20-47f8-bce1-c92e851af590" index="0" isDefault="true"/> This is the same method that Tableau has been using for years (looking at some old versions from about 4-5 years ago. This is something we can't configure or have any option to change. Thanks,

>> Are you refering to this from the saml_sp_metadata.xml file? No. There are four SSO Binding URL of Gluu server, which SP can use, ``` <SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" Location="https://latest441.gluu.info/idp/profile/SAML2/Unsolicited/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://latest441.gluu.info/idp/profile/SAML2/POST/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://latest441.gluu.info/idp/profile/SAML2/POST-SimpleSign/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://latest441.gluu.info/idp/profile/SAML2/Redirect/SSO"/> ``` Configure / Ask Tableau to use `HTTP-Redirect` one instead of `HTTP-Post`.

https://help.tableau.com/current/server/en-us/saml_requ.htm "Tableau Server and the IdP each generates its own metadata. Each set of metadata must contain the information described in the following list. If either set is missing information, errors can occur when you configure SAML or when users try to sign in. HTTP POST: Tableau Server only supports HTTP POST requests for SAML communications. HTTP Redirect is not supported." This has not changed on the Tableau side and only supports HTTP-Post as it always has. We don't have the capability to modify this.

How can we get shibboleth to access HTTP-POST as it used to? Tableau only supports HTTP POST as I mentioned in the previous updated. I am getting the following error: ``` 2022-09-16 23:10:23,920 - 10.92.81.74 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91] - org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172) at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getLock(AbstractFlowExecutionRepository.java:125) at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:164) at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:254) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) at javax.servlet.http.HttpServlet.service(HttpServlet.java:503) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) at javax.servlet.http.HttpServlet.service(HttpServlet.java:590) at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1419) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764) at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1630) at net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:76) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1600) at net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:61) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1600) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1600) at net.shibboleth.utilities.java.support.net.DynamicResponseHeaderFilter.doFilter(DynamicResponseHeaderFilter.java:125) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1600) at net.shibboleth.utilities.java.support.net.CookieBufferingFilter.doFilter(CookieBufferingFilter.java:68) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1600) at net.shibboleth.utilities.java.support.net.SameSiteCookieHeaderFilter.doFilter(SameSiteCookieHeaderFilter.java:204) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1600) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:506) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:463) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1300) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:149) at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:51) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.Server.handle(Server.java:562) at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended? at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126) at org.springframework.webflow.conversation.impl.SessionBindingConversationManager.getConversation(SessionBindingConversationManager.java:117) at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:183) at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:170) ... 69 common frames omitted ```

idp-process.log ``` 2022-09-16 23:16:49,989 - 10.92.81.74 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder:88] - Decoded SAML relay state of: null 2022-09-16 23:16:49,989 - 10.92.81.74 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder:117] - Getting Base64 encoded message from request 2022-09-16 23:16:49,990 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:Signature", "") 2022-09-16 23:16:49,990 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:SignedInfo", "") 2022-09-16 23:16:49,991 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:SignatureMethod", "") 2022-09-16 23:16:49,991 - 10.92.81.74 - DEBUG [org.apache.xml.security.algorithms.SignatureAlgorithm:174] - Create URI "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class "class org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256" 2022-09-16 23:16:49,991 - 10.92.81.74 - DEBUG [org.apache.xml.security.algorithms.JCEMapper:416] - Request for URI http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 2022-09-16 23:16:49,991 - 10.92.81.74 - DEBUG [org.apache.xml.security.algorithms.implementations.SignatureBaseRSA:63] - Created SignatureRSA using SHA256withRSA 2022-09-16 23:16:49,991 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:KeyInfo", "") 2022-09-16 23:16:49,998 - 10.92.81.74 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder:96] - Decoded SAML message 2022-09-16 23:16:50,000 - 10.92.81.74 - DEBUG [PROTOCOL_MESSAGE:124] - <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://analytics-dev.work.local/samlservice/public/sp/SSO?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe" Destination="https://idp-dev.ids.maxaranalytics.ninja/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="_41f1ef52b489d69ca05e29e26d4c7881" IssueInstant="2022-09-16T23:16:49.691Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_41f1ef52b489d69ca05e29e26d4c7881"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>gjY0JguHNV9kHFP2SFSTno3hbLZRe/zHoul6hjZ+ibY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> YOGHAo47a72hp9+KGIgKjMP3gfpSTgyeN8MNqLpTT/h2kamNaLy2VJZIVsieTfXZh448B+vAYEQe B66nagY23MEvow8ck4eTyaO3KTst5bImCrd3/HVVmk9N+CJjLKI2bHNXGLA+G5jyDiBCH5iYSBtG d1C6Idu3RbwvfRzBNG9OO4Iuu6aRdAVfrchOpgoDCWCDXrjJ7wHNv3cx2ZkjrUoqGYdiy52nncGo 44tACmuyw0S1LQEXJexf8htHc+A4ObtHFL3BmtR2207no8r1oUNvURaIm69Q0Sa4dK3CJpkPaPzL 0QPOWN/tWfbSpe6nCPg+J7O1baXYroaOuEYpAtXikW3R1G6ie5+GfKgyDiHYQGvTT5P/q0tEW8kx m1xuBs2llPf5wIL+CyLQMo/QvovwOp013+sqNqRgLPsJv8fSo+a6sE0fefV1TtDyZyigu5As4NST 0gGqSMy6b8T19JyXZ8SkGrZUm26D3yB6wfDbcnxKHwwEcX8W02NFgOVb1QlyCC9V9xmTHpjbZG0E WwrGV7Ey7ZwToT6uAhCrqmsWE/a4stl1lWCCv6Mjychlf958HasZQzah8JpuGyAGe9YTZNBKMGtd QLnQdkS7vulpkRIQm11QTE1C4phZ1TMh5WE+G7oPQndDqBDHimeKBejhusX4elfYwF8LEHPBnXk= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIFqDCCA5CgAwIBAgIGAYNB+PkXMA0GCSqGSIb3DQEBCwUAMGwxOzA5BgNVBAsMMmNvbS50YWJs ZWF1c29mdHdhcmUuc2l0ZXNhbWwuY29yZS51dGlsLkNyeXB0b1V0aWxzMS0wKwYDVQQDDCQyMjRk YTRhZS1iYWM5LTQ3ZGEtYjY5ZC03ZDliODBhOWE1ZmUwHhcNMjIwOTE0MTYyNjE5WhcNMzIwOTE1 MTYyNjE5WjBsMTswOQYDVQQLDDJjb20udGFibGVhdXNvZnR3YXJlLnNpdGVzYW1sLmNvcmUudXRp bC5DcnlwdG9VdGlsczEtMCsGA1UEAwwkMjI0ZGE0YWUtYmFjOS00N2RhLWI2OWQtN2Q5YjgwYTlh NWZlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmKjp1JhI9Uk7sOQcbOhfYlxk4zwd /zRnp1MuvryablkqSoL9fvHOG4984IQ9vDZpj6Htq1FEhZzHBfQpwdj1qQOgIa4vyK317JyQseJb rn5UK1/14hEViO+kGfUzxiGnimlMQkGcriBJkcbmbavv6NfyNVAv3JI/TY1t0C9F/RGRfUgIaeJ8 Br1E5IbaphnFYGqnyVxyvJlpmPgB3G6biSDY4P37mXLf9DHYHTRHR5cUuxWtZ+RBsNIA00igtx8K nM/nQLW88so65d8UjFiQTp2jEmfVrr6D+hdUGRV9kVM8bUftk0ApDvlEF+A+T7lWIFSMuA/jPt4B E5FBLih7s+UTIF67WerYJ0QO21AQkWzQs5MapfOS5qej9Gdw2spwE2BVCQB3lXsSU96YuRGL6aQW cYqhFIMuHcUmWGbfaVApJ9CtqXLND9AA8gWoDvjH1j1bMcLBp2khppNI4qh3CBP2NE8R2eiHdjV3 iGDmFJdlvUVhLvbgzRDiNujEyKdquutlPoeJrqB1YzwjQOd7Nr1Kpi/nUBzxup4ZQgq0/myzgK7X V5peSndFbY+57BKEhW8djPdgCI9W+9NhLcEaIipAGVm7myXhouanja9NV1RuqeWN1fzUJgGnfnzm seqXnVYSbm1TuVA844ztxGCiAo/ffA2dVF/KbWD3pLSdAGECAwEAAaNQME4wDAYDVR0TAQH/BAIw ADAdBgNVHQ4EFgQUW7FU6ymyIxZJQy2UtO4r+5iEV9owHwYDVR0jBBgwFoAUW7FU6ymyIxZJQy2U tO4r+5iEV9owDQYJKoZIhvcNAQELBQADggIBACc4N0XEF5O5GNfj1FQFggVXB9+4QjaVvgBMGfDY iXq8yZNg4XYGuF4PnYtM3nTrfC0ybnjnex95uDsaLto+Uy2N2MOe9xd6HV/YZiFB5ARbXM1drU9l +L25RmwmlPDXB8l1sBdemfJLdlr6n4PmJEVcUoPz7IQ5r7/H1vz1qexoFtnTjvQOFy/qHmrXM/d1 KJ38TPjppV7lLk58XOW1DVcsZerGjKpsu+EB8/24tPsgsFGaIvVlQM0wDjpuHX4gb+ZAE9y0BdKp 2VJfbgbzCQb89rZBmimsIml5xtNFBnJQi2DR5RSrL9/4gltm9hI7Tqcpf+fxI+TGVXo/48Ct7W2Z 3X+icxwirgKxjRLJEcas/xSIdJtklryL/p1bl/FvkpaOpNyRuTTdpGg5nAsqaMq/MEGdH31s3PuC 9CZa2jSkQ38uobp9ruF6nXHdCaFA47sq9UmYlvopTBBmpgaFkKb2vnMV03ibfAloxgUmgemF4W3K 7zY92PigfO2MLMaIigcamngHWlYPPyjN17zP4LdRcQaHLLflp4tV2mailpCkkAeX+EwlFE5Qy9If C9BkRKI/bB2rLGh+ZOnqqveVOHUYWdaqc9lucoehapCW9hYcbE0VCtc4OQEGvSH1ff0gb+lbIOiv fUPGOvt3RwwNY4lkz7Y98n49sjhNLdJGmUiD</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml2p:AuthnRequest> 2022-09-16 23:16:50,015 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler' on INBOUND message context 2022-09-16 23:16:50,016 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,016 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml1.binding.impl.SAML1ArtifactRequestIssuerHandler' on INBOUND message context 2022-09-16 23:16:50,016 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,017 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler' on INBOUND message context 2022-09-16 23:16:50,017 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,018 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler' on INBOUND message context 2022-09-16 23:16:50,018 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,018 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:178] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Resolved 1 candidates via EntityIdCriterion: EntityIdCriterion [id=https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe] 2022-09-16 23:16:50,018 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:610] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Attempting to filter candidate EntityDescriptors via resolved Predicates 2022-09-16 23:16:50,019 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:632] - Metadata Resolver FilesystemMetadataResolver SiteSP1: After predicate filtering 1 EntityDescriptors remain 2022-09-16 23:16:50,019 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:267] - Resolved 1 source EntityDescriptors 2022-09-16 23:16:50,019 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:277] - Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering 2022-09-16 23:16:50,019 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:378] - Attempting to filter candidate RoleDescriptors via resolved Predicates 2022-09-16 23:16:50,019 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:400] - After predicate filtering 1 RoleDescriptors remain 2022-09-16 23:16:50,019 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:177] - Message Handler: org.opensaml.saml.common.messaging.context.SAMLMetadataContext added to MessageContext as child of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext 2022-09-16 23:16:50,020 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context 2022-09-16 23:16:50,020 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,020 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:154] - Message Handler: Selecting default AttributeConsumingService, if any 2022-09-16 23:16:50,021 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:186] - Resolving AttributeConsumingService candidates from SPSSODescriptor 2022-09-16 23:16:50,021 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:141] - AttributeConsumingService candidate list was empty, can not select service 2022-09-16 23:16:50,021 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:163] - Message Handler: No AttributeConsumingService selected 2022-09-16 23:16:50,021 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:131] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe 2022-09-16 23:16:50,021 - 10.92.81.74 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:253] - Resolving relying party configuration 2022-09-16 23:16:50,022 - 10.92.81.74 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:265] - Checking if relying party configuration EntityNames[https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe,] is applicable 2022-09-16 23:16:50,022 - 10.92.81.74 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:267] - Relying party configuration EntityNames[https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe,] is applicable 2022-09-16 23:16:50,022 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:174] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration EntityNames[https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe,] for request 2022-09-16 23:16:50,023 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:147] - Profile Action PopulateProfileInterceptorContext: No inbound interceptor flows active for this request 2022-09-16 23:16:50,024 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler' on INBOUND message context 2022-09-16 23:16:50,025 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,025 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:156] - Message Handler: Checking SAML message intended destination endpoint against receiver endpoint 2022-09-16 23:16:50,025 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:188] - Message Handler: Intended message destination endpoint: https://idp-dev.ids.maxaranalytics.ninja/idp/profile/SAML2/POST/SSO 2022-09-16 23:16:50,025 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:189] - Message Handler: Actual message receiver endpoint: https://idp-dev.ids.maxaranalytics.ninja/idp/profile/SAML2/POST/SSO 2022-09-16 23:16:50,025 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:202] - Message Handler: SAML message intended destination endpoint matched recipient endpoint 2022-09-16 23:16:50,026 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler' on INBOUND message context 2022-09-16 23:16:50,026 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,026 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler:154] - Message Handler: Evaluating message replay for message ID '_41f1ef52b489d69ca05e29e26d4c7881', issue instant '2022-09-16T23:16:49.691Z', entityID 'https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe' 2022-09-16 23:16:50,029 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler' on INBOUND message context 2022-09-16 23:16:50,030 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,032 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler' on INBOUND message context 2022-09-16 23:16:50,032 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,033 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler' on INBOUND message context 2022-09-16 23:16:50,033 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,033 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:Reference", "") 2022-09-16 23:16:50,034 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:Transforms", "") 2022-09-16 23:16:50,034 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:Transform", "") 2022-09-16 23:16:50,034 - 10.92.81.74 - DEBUG [org.apache.xml.security.transforms.Transform:357] - Create URI "http://www.w3.org/2000/09/xmldsig#enveloped-signature" class "class org.apache.xml.security.transforms.implementations.TransformEnvelopedSignature" 2022-09-16 23:16:50,034 - 10.92.81.74 - DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator:234] - Saw Enveloped signature transform 2022-09-16 23:16:50,034 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:Transform", "") 2022-09-16 23:16:50,034 - 10.92.81.74 - DEBUG [org.apache.xml.security.transforms.Transform:357] - Create URI "http://www.w3.org/2001/10/xml-exc-c14n#" class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusive" 2022-09-16 23:16:50,035 - 10.92.81.74 - DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator:238] - Saw Exclusive C14N signature transform 2022-09-16 23:16:50,035 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:132] - Message Handler: Attempting to verify signature on signed SAML protocol message type: {urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest 2022-09-16 23:16:50,035 - 10.92.81.74 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:285] - Resolving credentials from metadata using entityID: https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe, role: {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor, protocol: urn:oasis:names:tc:SAML:2.0:protocol, usage: SIGNING 2022-09-16 23:16:50,035 - 10.92.81.74 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:434] - Retrieving role descriptor metadata for entity 'https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe' in role '{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor' for protocol 'urn:oasis:names:tc:SAML:2.0:protocol' 2022-09-16 23:16:50,036 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:178] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Resolved 1 candidates via EntityIdCriterion: EntityIdCriterion [id=https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe] 2022-09-16 23:16:50,036 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:610] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Attempting to filter candidate EntityDescriptors via resolved Predicates 2022-09-16 23:16:50,036 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:632] - Metadata Resolver FilesystemMetadataResolver SiteSP1: After predicate filtering 1 EntityDescriptors remain 2022-09-16 23:16:50,036 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:267] - Resolved 1 source EntityDescriptors 2022-09-16 23:16:50,037 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:277] - Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering 2022-09-16 23:16:50,037 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:378] - Attempting to filter candidate RoleDescriptors via resolved Predicates 2022-09-16 23:16:50,037 - 10.92.81.74 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:400] - After predicate filtering 1 RoleDescriptors remain 2022-09-16 23:16:50,037 - 10.92.81.74 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:350] - Resolved cached credentials from KeyDescriptor object metadata 2022-09-16 23:16:50,038 - 10.92.81.74 - DEBUG [org.apache.xml.security.signature.XMLSignature:858] - signatureMethodURI = http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 2022-09-16 23:16:50,038 - 10.92.81.74 - DEBUG [org.apache.xml.security.signature.XMLSignature:859] - jceSigAlgorithm = SHA256withRSA 2022-09-16 23:16:50,038 - 10.92.81.74 - DEBUG [org.apache.xml.security.signature.XMLSignature:860] - PublicKey = Sun RSA public key, 4096 bits params: null modulus: 622797720804273963948415782986311820828602257877392872609852903663358137821833707033376665866347386245721554362967865538873243798093461037906564558285274153860487708433223526073979271884929810371941664238241341304984939387010469806447501081933494723449658420341343878149823538146809811348637153553224317169548936591640980446026775750192245284067090958819915697909192754763737640085972896551210336409658301469049933141010114156440979247370051143113255984378579888290810313266005375506801518175725511377909495727147435220669115946409987375762843349182513409314163742476771015706521714144492694550741047280647621514922541806728983035931826157381618300893357393356286228568776388476842346373384403446173225771215096152155216436078242562086678247905067128315339314012702247638661197346319757407897381728936895229252269600342626516102444034335812786354950464481628831212102608288021722892519751496452264438119334657244236680081653289257507830898966284027143225748383538838352459698211546723309335446841810693357825769994483113396202609294701527446198941966286214328745355167473340738230498548088614070914665576558524836504521775959609580118011504988693078746265182527765686730046499947574015375937287419746308519805841885252585497925845089 public exponent: 65537 2022-09-16 23:16:50,039 - 10.92.81.74 - DEBUG [org.apache.xml.security.signature.XMLSignature:867] - jceSigProvider = SunRsaSign 2022-09-16 23:16:50,039 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.SignerOutputStream:63] - Canonicalized SignedInfo: 2022-09-16 23:16:50,040 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.SignerOutputStream:68] - <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod> <ds:Reference URI="#_41f1ef52b489d69ca05e29e26d4c7881"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod> <ds:DigestValue>gjY0JguHNV9kHFP2SFSTno3hbLZRe/zHoul6hjZ+ibY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> 2022-09-16 23:16:50,041 - 10.92.81.74 - DEBUG [org.apache.xml.security.signature.Manifest:315] - verify 1 References 2022-09-16 23:16:50,041 - 10.92.81.74 - DEBUG [org.apache.xml.security.signature.Manifest:316] - I am not requested to follow nested Manifests 2022-09-16 23:16:50,042 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:Reference", "") 2022-09-16 23:16:50,042 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:Transforms", "") 2022-09-16 23:16:50,042 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.resolver.ResourceResolver:176] - I was asked to create a ResourceResolver and got 0 2022-09-16 23:16:50,042 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.resolver.ResourceResolver:151] - check resolvability by class org.apache.xml.security.utils.resolver.implementations.ResolverFragment 2022-09-16 23:16:50,042 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.resolver.implementations.ResolverFragment:118] - State I can resolve reference: "#_41f1ef52b489d69ca05e29e26d4c7881" 2022-09-16 23:16:50,043 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.resolver.implementations.ResolverFragment:86] - Try to catch an Element with ID _41f1ef52b489d69ca05e29e26d4c7881 and Element was [saml2p:AuthnRequest: null] 2022-09-16 23:16:50,043 - 10.92.81.74 - DEBUG [org.apache.xml.security.algorithms.JCEMapper:416] - Request for URI http://www.w3.org/2001/04/xmlenc#sha256 2022-09-16 23:16:50,043 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:Transform", "") 2022-09-16 23:16:50,043 - 10.92.81.74 - DEBUG [org.apache.xml.security.transforms.Transform:357] - Create URI "http://www.w3.org/2000/09/xmldsig#enveloped-signature" class "class org.apache.xml.security.transforms.implementations.TransformEnvelopedSignature" 2022-09-16 23:16:50,043 - 10.92.81.74 - DEBUG [org.apache.xml.security.transforms.Transforms:259] - Perform the (0)th http://www.w3.org/2000/09/xmldsig#enveloped-signature transform 2022-09-16 23:16:50,044 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.ElementProxy:89] - setElement("ds:Transform", "") 2022-09-16 23:16:50,044 - 10.92.81.74 - DEBUG [org.apache.xml.security.transforms.Transform:357] - Create URI "http://www.w3.org/2001/10/xml-exc-c14n#" class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusive" 2022-09-16 23:16:50,044 - 10.92.81.74 - DEBUG [org.apache.xml.security.transforms.Transforms:265] - Perform the (1)th http://www.w3.org/2001/10/xml-exc-c14n# transform 2022-09-16 23:16:50,044 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.DigesterOutputStream:54] - Pre-digested input: 2022-09-16 23:16:50,044 - 10.92.81.74 - DEBUG [org.apache.xml.security.utils.DigesterOutputStream:59] - <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://analytics-dev.work.local/samlservice/public/sp/SSO?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe" Destination="https://idp-dev.ids.maxaranalytics.ninja/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="_41f1ef52b489d69ca05e29e26d4c7881" IssueInstant="2022-09-16T23:16:49.691Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe</saml2:Issuer></saml2p:AuthnRequest> 2022-09-16 23:16:50,045 - 10.92.81.74 - DEBUG [org.apache.xml.security.signature.Reference:796] - Verification successful for URI "#_41f1ef52b489d69ca05e29e26d4c7881" 2022-09-16 23:16:50,045 - 10.92.81.74 - DEBUG [org.apache.xml.security.signature.Manifest:342] - The Reference has Type 2022-09-16 23:16:50,045 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:136] - Message Handler: Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest 2022-09-16 23:16:50,045 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:139] - Message Handler: Authentication via protocol message signature succeeded for context issuer entity ID https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe 2022-09-16 23:16:50,046 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler' on INBOUND message context 2022-09-16 23:16:50,046 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,046 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:149] - Message Handler: Evaluating simple signature rule of type: org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler 2022-09-16 23:16:50,047 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:152] - Message Handler: Handler can not handle this request, skipping 2022-09-16 23:16:50,047 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler' on INBOUND message context 2022-09-16 23:16:50,047 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,048 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:149] - Message Handler: Evaluating simple signature rule of type: org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler 2022-09-16 23:16:50,048 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:158] - Message Handler: HTTP request was not signed via simple signature mechanism, skipping 2022-09-16 23:16:50,049 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.messaging.handler.impl.CheckMandatoryIssuer' on INBOUND message context 2022-09-16 23:16:50,049 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,050 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeOutboundMessageContext:153] - Profile Action InitializeOutboundMessageContext: Initialized outbound message context 2022-09-16 23:16:50,050 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:401] - Profile Action PopulateBindingAndEndpointContexts: Attempting to resolve endpoint of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService for outbound message 2022-09-16 23:16:50,050 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:542] - Profile Action PopulateBindingAndEndpointContexts: Populating template endpoint for resolution from SAML AuthnRequest 2022-09-16 23:16:50,051 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.AbstractEndpointResolver:314] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Returning 1 candidate endpoints of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService 2022-09-16 23:16:50,051 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:452] - Profile Action PopulateBindingAndEndpointContexts: Resolved endpoint at location https://analytics-dev.work.local/samlservice/public/sp/SSO?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2022-09-16 23:16:50,051 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:382] - No AttributeConsumingService was resolved, won't be able to determine delegation requested status via metadata 2022-09-16 23:16:50,051 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:515] - No AttributeConsumingService was available 2022-09-16 23:16:50,052 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:500] - Delegation request was not explicitly indicated, using default value: NOT_REQUESTED 2022-09-16 23:16:50,052 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:289] - Issuance of a delegated Assertion is not in effect, skipping further processing 2022-09-16 23:16:50,053 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:210] - Profile Action PopulateSignatureSigningParameters: Signing enabled 2022-09-16 23:16:50,053 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:192] - Message Handler: Signing enabled 2022-09-16 23:16:50,053 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:204] - Message Handler: Resolving SignatureSigningParameters for request 2022-09-16 23:16:50,054 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:234] - Message Handler: Adding metadata to resolution criteria for signing/digest algorithms 2022-09-16 23:16:50,054 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:245] - Message Handler: Resolved SignatureSigningParameters 2022-09-16 23:16:50,056 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:210] - Profile Action PopulateSignatureSigningParameters: Signing enabled 2022-09-16 23:16:50,056 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:192] - Message Handler: Signing enabled 2022-09-16 23:16:50,057 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:204] - Message Handler: Resolving SignatureSigningParameters for request 2022-09-16 23:16:50,057 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:217] - Message Handler: Found existing SecurityParametersContext to copy from 2022-09-16 23:16:50,057 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:296] - Profile Action PopulateEncryptionParameters: Encryption for assertions (true), identifiers (false), attributes(false) 2022-09-16 23:16:50,057 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:306] - Profile Action PopulateEncryptionParameters: Resolving EncryptionParameters for request 2022-09-16 23:16:50,058 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:371] - Profile Action PopulateEncryptionParameters: Adding entityID to resolution criteria 2022-09-16 23:16:50,058 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:382] - Profile Action PopulateEncryptionParameters: Adding role metadata to resolution criteria 2022-09-16 23:16:50,058 - 10.92.81.74 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:258] - Resolving credentials from supplied RoleDescriptor using usage: ENCRYPTION. Effective entityID was: https://analytics-dev.work.local/samlservice/public/sp/metadata?alias=224da4ae-bac9-47da-b69d-7d9b80a9a5fe 2022-09-16 23:16:50,058 - 10.92.81.74 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:350] - Resolved cached credentials from KeyDescriptor object metadata 2022-09-16 23:16:50,058 - 10.92.81.74 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:577] - Could not resolve data encryption algorithm based on SAML metadata, falling back to locally configured algorithms 2022-09-16 23:16:50,059 - 10.92.81.74 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:533] - Could not resolve key transport algorithm based on SAML metadata, falling back to locally configured algorithms 2022-09-16 23:16:50,059 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:322] - Profile Action PopulateEncryptionParameters: Resolved EncryptionParameters 2022-09-16 23:16:50,062 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:143] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing 2022-09-16 23:16:50,063 - 10.92.81.74 - DEBUG [org.opensaml.saml.common.profile.impl.VerifyChannelBindings:156] - Profile Action VerifyChannelBindings: No channel bindings found to verify, nothing to do 2022-09-16 23:16:50,065 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.impl.ExtractProxiedRequestersHandler' on INBOUND message context 2022-09-16 23:16:50,065 - 10.92.81.74 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2022-09-16 23:16:50,066 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:239] - Profile Action InitializeAuthenticationContext: AuthnRequest did not contain Scoping, nothing to do 2022-09-16 23:16:50,067 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:222] - Profile Action InitializeAuthenticationContext: Created authentication context: AuthenticationContext{initiationInstant=2022-09-16T23:16:50.066818Z, isPassive=false, forceAuthn=false, requiredName=null, hintedName=null, maxAge=null, potentialFlows=[], activeResults=[], attemptedFlow=null, signaledFlowId=null, authenticationStateMap={}, resultCacheable=true, authenticationResult=null, completionInstant=null} 2022-09-16 23:16:50,068 - 10.92.81.74 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.ProcessRequestedAuthnContext:167] - Profile Action ProcessRequestedAuthnContext: AuthnRequest did not contain a RequestedAuthnContext, nothing to do 2022-09-16 23:16:50,070 - 10.92.81.74 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:213] - Profile Action PopulateAuthenticationContext: Installed 1 potential authentication flows into AuthenticationContext 2022-09-16 23:16:50,071 - 10.92.81.74 - DEBUG [net.shibboleth.idp.session.impl.PopulateSessionContext:145] - Profile Action PopulateSessionContext: No session found for client 2022-09-16 23:16:50,073 - 10.92.81.74 - DEBUG [net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] - Profile Action InitializeRequestedPrincipalContext: Profile configuration did not supply any default authentication methods 2022-09-16 23:16:50,073 - 10.92.81.74 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:57] - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do 2022-09-16 23:16:50,074 - 10.92.81.74 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:57] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do 2022-09-16 23:16:50,074 - 10.92.81.74 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:274] - Profile Action SelectAuthenticationFlow: No specific Principals requested 2022-09-16 23:16:50,074 - 10.92.81.74 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:312] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow 2022-09-16 23:16:50,075 - 10.92.81.74 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:369] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/oxAuth 2022-09-16 23:16:50,316 - 10.92.81.74 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91] - org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172) Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended? at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126) ```

Are there any instructions to disable the HTTP Redirect and enable the HTTP POST in shibboleth as it used to work in versions 3.X?

[this](http://shibboleth.net/pipermail/users/2019-May/044211.html) is an interesting link, just switch HTTP-POST with HTTP-Redirect.

I tried changing the idp-metadata.xml and tried switching the redirect entries to the HTTP but that did not work earlier. The link you provided I had already read through the thread and it looked more like a typo issue in the URL and didn't appear to be any solution

Ummm.... sorry, then I don't know much about your setup then. But, do you have any Tableau Dev instance / Dev account which I can try to configure with my test Gluu Server? If I could try to do integration by myself.. I guess.. it would be much clearer to me than going through troubleshooting blindly.

I can configure it to point to your Gluu server if we want to try that. I will create another site (the Tableau server is internal to our network so you won't be able to access that but I can send you the metadata file)

I have uploaded saml_sp_metadata_gluu.xml so that you can configure gluu on your side. If you can provide the idp_metadata.xml then I can import that back into Tableau.

Thanks. My Gluu Server is: `https://latest441.gluu.info` EntityID / SAML metadata: `https://latest441.gluu.info/idp/shibboleth`

https://latest441.gluu.info/idp/shibboleth doesn't return XML as 4.4.0 and before does?

Sorry, didn't understand your question.

If you connect to https://latest441.gluu.info/idp/shibboleth with your web browser. It does not return an XML document. It returns: latest441.gluu.info MIIDgzCCAmsCFERnzcRH+WcErZpDH50J1uqY8LoWMA0GCSqGSIb3DQEBCwUAMH4x CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQXVzdGluMRIwEAYD VQQKDAlHbHV1IEluYy4xHDAaBgNVBAMME2xhdGVzdDQ0MS5nbHV1LmluZm8xHzAd BgkqhkiG9w0BCQEWEHN1cHBvcnRAZ2x1dS5vcmcwHhcNMjIwOTEwMTUwMzU1WhcN MjMwOTE This should be returning something like: <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" entityID="https://xxxxxxxxx/idp/shibboleth">

May be some browser incompatibility issue? Screenshot attached.

You were correct. I was using Safari and that was the problem.

Just did 3 connection tests from the setup screen after importing the idp information. https://latest441.gluu.info/idp/profile/SAML2/POST/SSO Bad Request Your browser sent a request that this server could not understand. Apache/2.4.41 (Ubuntu) Server at latest441.gluu.info Port 443

I guess primary reason is: I haven't created trust relationship. I'll do it and please pass along your SP link for initiating SSO and some test credentials so I can do it from my side.

That makes sense. Let me know when you are ready

Hi, just checking if you had set up the trust relationship and test credentials?

Hello Lindsay, Trust relationship created. For now, I released Username and EmailAddress only.

What are the credentials?

Sorry, the Password Reminder functionality is not enabled. The password recovery e-mail has not been sent. Please contact the administrator.

Sorry, credentials for what?

From the Tableau server I am redirected to the Gluu server on your side (just did this now) and it is asking for a login/password on the Gluu Server side.

Was there any entries in the logs from the redirects?

Hi Lindsay, You need to give me access to your SP instance ( a test credential or something like that ), with which I can test by myself.

That is not possible as it on an internal corporate network. I can perform the tasks that you need remotely for you however.

Hi Lindsay, >> I can perform the tasks that you need remotely for you however. I would love to but having support / troubleshooting call is not supported in community support level agreement. The problem we are facing here need intense attention so if you can ever create a Tableau instance for me to use ( you can limit internet access from my IP + my latest441 only ), please ping here. Thanks! I wish I could help you more.

I can trigger the redirect (i.e. login on our side), and shouldn't that trigger the same errors on your side is where I thought we were trying to replicate the errors after we exchanged the sp and idp metadata?