Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 13.5.0
When requesting encryption for the assertion within an IDP-Proxy scenario, the IdP Proxy tries to use the Name-ID formats listed in the Remote SP config, instead of the requested nameID format.
To reproduce the issue:
- For all, configure the Name-ID format list as follows:
- Request the assertion to be encrypted
Initiate SP Single Sign On: http://sp.example.com:8080/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=proxy&NameIDFormat=transient
This will hang on the following URL: http://proxy.example.info:8080/openam/Consumer/metaAlias/spproxy?SAMLart=AAQAA...
And the Error in the Federation log will be:
Workaround: depending of the use case, you may re-order the list of Name-ID Formats for the remote SP; in our example keeping the transient format on top of the list for the Remote SP within OpenAM IDP-Proxy configuration was enough; it may not be possible for complex deployments.