We have been struggling to get OSP to work nicely with our PingIdentity IDP to enable us to use our current infrastructure for SSO. I understand PERFECTLY that OSP currently ONLY supports NAM but perhaps some insight would help us get this working as many others have with different Identity Providers. Working with people at PingIdentity it appears that the assertion OSP is sending is not SAML2.0 compliant. Here is an example of an SP initiated request with sensitive data changed:

We are using the latest osp and 4.6 Identity Apps.

Request:

************************* SAML2 Redirect message ********************************
Type: sent
Sent to: https://samldev.company.com/idp/star...rlencodeddata)
RelayState: MzpZMmxrfmMyRnRiREl0WTI5dWRISmhZM1E9
Message:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unava ilable"
Destination="https://samldev.company.com/idp/startSSO.ping?PartnerSpId=https://server.company.com/osp/a/idm/auth/saml2/metadata"
ForceAuthn="false"
ID="idzh816xwiOwDfOTRynwwWG4kXeGo"
IsPassive="false"
IssueInstant="2017-07-07T00:52:11Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindi ngs:HTTP-POST"
Version="2.0"
intro="false"
refresh="false">

<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" SPProvidedID="https://server.company.com/osp/a/idm/auth/saml2/metadata">https://server.company.com/osp/a/idm/auth/saml2/metadata</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
************************* End SAML2 message ****************************

The assertion fails with an error referencing illegal attributes and according to Support Engineers at Ping, "intro=" and "refresh=" are not valid attributes for AuthnRequest.

We have also attempted (more successfully) an IDP initiated session which goes through the authentication process properly but doesn't take us to the target page. It puts up a dialog in a box that says

"Error: Authentication was successful but access to the application is unavailable. Please contact your Administrator." I can then enter the proper page in the url "/idmdash" and it works fine.

Looking for any suggestions or recommendations on making this work. Thanks for any help.

Rich