--- posting in IDM4.5 forum as well ---

Ping is acting as the IDP. We are using cn as the authentication ID.

We are able to get to the IDP popup login window. We login and get the
error:
Error: An Identity Provider response was received that failed to
authenticate this session.

catalina.out doesn't show anything.

firefox SAML tracer shows the SAML request and response.

Any ideas on where to go from here?

<samlp:AuthnRequest xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol"
xmlns:saml="urnasis:names:tc:SAML:2.0:assertion"

Consent="urnasis:names:tc:SAML:2.0:consent:unavailable"

Destination="https://sso.us.scottsco.com/idp/SSO.saml2"
ForceAuthn="false"
ID="idQQ1HTnw5lfrETkgMIYLTKBKb.QU"
IsPassive="false"
IssueInstant="2015-12-02T15:49:21Z"

ProtocolBinding="urnasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>


<saml:Issuer>https://userapp.us.scottsco.com/osp/a/idm/auth/saml2/metadata</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#idQQ1HTnw5lfrETkgMIYLTKBKb.QU">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<dsigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<dsigestValue>Ngbx0dFRUgeSCuqeuatkVQAheiY=</dsigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
FcJGTRayYZVsFspuVDRzbJx2onxs2ZtH71evQSGwSvgHuRow8H 2tGLAL31MuCp+nzt9KPEYvfkhy
KOsdgftaz+er0KbgQF44Zhmtg4w9VpCfYfUo8UwSTUIW2KL42n AAh2HHzuNSejRJzRvhuNT3HJVD
Kwsv/BBziyM4dnXI7GBrntAjG+2Yw/Kzm3rr5ACY0uYP788rViVbpdCpzxEH4AnWl5gaWltn739Y
Ug3hsvEzOXwbG7jhJg13pbQWuiwvA2rGOotDR4fzB0xEpSteKe H8hhktIZjiRQ0rLeRuqxXKzOan
j7rd59GsWDj5DSGrcsRZO42pGCvyB6uLaaBAMA==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDjzCCAnegAwIBAgIEdEiFCzANBgkqhkiG9w0BAQsFADB4MQ swCQYDVQQGEwJVUzELMAkGA1UE
CBMCT0gxEzARBgNVBAcTCk1hcnlzdmlsbGUxDzANBgNVBAoTBl Njb3R0czEUMBIGA1UECxMLd2Vi
c2VydmljZXMxIDAeBgNVBAMTF3VzZXJhcHAudXMuc2NvdHRzY2 8uY29tMB4XDTE1MDkxODEyMTMw
NVoXDTE4MDkxNzEyMTMwNVoweDELMAkGA1UEBhMCVVMxCzAJBg NVBAgTAk9IMRMwEQYDVQQHEwpN
YXJ5c3ZpbGxlMQ8wDQYDVQQKEwZTY290dHMxFDASBgNVBAsTC3 dlYnNlcnZpY2VzMSAwHgYDVQQD
Exd1c2VyYXBwLnVzLnNjb3R0c2NvLmNvbTCCASIwDQYJKoZIhv cNAQEBBQADggEPADCCAQoCggEB
ALnHElLNNk+49oiW7iNTyDMVLFIBHyaYB26Ls6MFn3lPEK+Lv4 vKPCv4PKMGCpG1c8fc79K+OiSW
1bNAykxvAhnhVgBbLanuhIe4F/Buoe1xxOgShNgkadiRp/n/nieFhV0Dvsnfj2qGnSMNUns7fywP
VcoiIajObW0M3j3xPOL2asHhWJD1cfc9eACI9ncdwwaak8gjjT AbHPd4UVV0cv+aK2ejmikAyHMe
ZxjpuMPuLv47QLFI0ssmW0/NlDSBJ39FJi9QtFVsXDWnxXfURZTkc2u2MI5sW4UveChlNIT6n gCb
DsVH+1/PD9EFO4ovM0sj72QVZ5FR3Ut6f0iqm78CAwEAAaMhMB8wHQYDV R0OBBYEFCQcLr7PfVIG
B3LxiUV1UmRuekkBMA0GCSqGSIb3DQEBCwUAA4IBAQB8IVWpvJ B5jb85/ZoaWiB3Shc0/Jhb3snk
GFuBTW/6Mpu3/EZKY3huKYRvR7q+XZ+eq7W5we6QBiwDGFFQQcxdWy/fv5raVqkI52woI8FK5Sv8
JDTyIlrbGVtQn8AiZItxXekcPwD8M90sBJQRf1BeBaGBkC0WP2 L10Hc8cB6L86Osyd4ntv4XF7xN
RH9rnyPrbPp28Ob+wLBfxl1pxklpl//Smpxx57Q5wH5Krm0Y+qdti+A/D3NrUbqES73OnVr7m+Kl
+TNAVNOiVZizqTdS8oVrEZyMdtaSoHdBskr4hB/Ke/rz8e6Dwjh7shS+h6an9Si65Pwq+d/igddF
JKe0
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy
Format="urnasis:names:tc:SAML:2.0:nameid-format:transient" />
</samlp:AuthnRequest>




<samlp:Response Version="2.0"
ID="i0mkUQXoyEbdu8vdrWLYcUezmEN"
IssueInstant="2015-12-02T15:49:46.057Z"
InResponseTo="idQQ1HTnw5lfrETkgMIYLTKBKb.QU"

Destination="https://userapp.us.scottsco.com/osp/a/idm/auth/saml2/spassertion_consumer"
xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol"
>

<saml:Issuer
xmlns:saml="urnasis:names:tc:SAML:2.0:assertion">sso:us:scottsco: com:saml2</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#i0mkUQXoyEbdu8vdrWLYcUezmEN">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<dsigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<dsigestValue>e5yXNwkjYlRTG5kFYrXa2cSVv4I=</dsigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
DpiyRZ00kPeVJMi/PSvorYcfQhFVJSetEzg9fPP+pk1eYaOtO34H4BnJog13ftl+hg 97gYi7J3xd
N5TBZgEwFQmeiQDAvXphNOd89evgJfqs4OARL89O+ws+chlxw2 iNgVcdnJeA26O/tXNtP8Y5jdyk
EKFkraPpDGxJVXtGWBn0Ivl33GU89Md2qmUCh7o6UsoZpnpM+5 Eeo/W+nBD7DcXu9Iap4qyJ8GtQ
HpbpPZkFMaZzQSgYhuBIEKqrVdaD0EKcu+uP0kJObDMICUMEvG mHDX7wzC7zBjvvw/SPqaJg/tQK
oy2Z5VzjzsVJaK6j2WWt5R/VOo7cd5rQO6choA==
</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode
Value="urnasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion ID="nNtuu0GT7YH3Y7Qw5vNADzzpyJy"
IssueInstant="2015-12-02T15:49:46.120Z"
Version="2.0"
xmlns:saml="urnasis:names:tc:SAML:2.0:assertion"
>

<saml:Issuer>sso:us:scottsco:com:saml2</saml:Issuer>
<saml:Subject>
<saml:NameID
Format="urnasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="sso:us:scottsco:com:saml2"

SPNameQualifier="https://userapp.us.scottsco.com/osp/a/idm/auth/saml2/metadata"
>aDxSDfOMdp9mtz79YlsXcA1QZAK</saml:NameID>

<saml:SubjectConfirmation
Method="urnasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
Recipient="https://userapp.us.scottsco.com/osp/a/idm/auth/saml2/spassertion_consumer"

NotOnOrAfter="2015-12-02T15:54:46.120Z"

InResponseTo="idQQ1HTnw5lfrETkgMIYLTKBKb.QU"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-12-02T15:44:46.120Z"
NotOnOrAfter="2015-12-02T15:54:46.120Z"
>

<saml:AudienceRestriction>

<saml:Audience>https://userapp.us.scottsco.com/osp/a/idm/auth/saml2/metadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="nNtuu0GT7YH3Y7Qw5vNADzzpyJy"
AuthnInstant="2015-12-02T15:49:46.120Z"
>

<saml:AuthnContext>

<saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>


--
fp_IDMWORKS
------------------------------------------------------------------------
fp_IDMWORKS's Profile: https://forums.netiq.com/member.php?userid=9869
View this thread: https://forums.netiq.com/showthread.php?t=54776