I understand that NetIQ doesn't officially support non NetIQ Access
Manager SAML authentication to IDM 4.5.x. Could someone post a working
SAML communication between OSP 6.0 and NAM so us non-NAM users could get
our systems to work. I ended up getting Shibboleth 3.2.x working with
4.5.2, but once going to 4.5.3 with OSP 6.0.x it stopped working.

The first difference I noticed was that I needed to add ID tags to the
metadata at the AttributeAuthorityDescriptor and IDPSSODescriptor level,
which I only had ID at the EntityDescriptor level.

This was discovered from this ERROR:

[OIDP] 2016-02-02T11:14:56.701-0600
Level: ERROR
com.netiq.oidpp.configuration.ConfiguratorBase.get TrustedProvider()
[371] thread=localhost-startStop-1
Trusted Provider Load Failure: Class: OSPException
Class: LoggableMessage
Level: ERROR
com.netiq.oidpp.saml2.provider.metadata.EntityDesc riptor.getDescriptorFromString()
Reason: NOT_FOUND_ERR: An attempt is made to reference a node in a
context where it does not exist.
Root cause:

NOT_FOUND_ERR: An attempt is made to reference a node in a context
where it does not exist.
org.apache.xerces.dom.ElementImpl: null: setIdAttribute:
XMLSignable.java: registerResolverElement: 486
com.novell.oidp.protocol.provider.metadata.Descrip tor:
Descriptor.java: <init>: 53
com.netiq.oidpp.saml2.provider.metadata.SAML2Descr iptor:
SAML2Descriptor.java: <init>: 34
com.netiq.oidpp.saml2.provider.metadata.EntityDesc riptor:
EntityDescriptor.java: <init>: 109

After that, I noticed that the IDP still needed to sign the Assertion
and not necessarily the Response. Which was no different than 4.5.2.

I am stuck at this point though. The only clue I get is an INFO message

[OIDP] 2016-02-02T20:56:56.935-0600
Level: INFO
Code: com.netiq.oidpp.saml2.protocol.SAML2Type.validate( ) [659]
Message: Validation failure on message from https://FQDN/idp/shibboleth
: Signature validation failed

This had previously worked in 4.5.2 with this same cert.

schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=55302