English

Error: Unable to log in using IDP. Invalid subject found in SAML response for Shibboleth

Error Message

When using the Shibboleth IDP, the following error is returned when trying to log in to an ArcGIS Enterprise portal via SAML logins:

Unable to login using Idp. Invalid subject found in SAML response.

Cause

The SAML NameID attribute is missing from the <Subject> element of the SAML assertion response.

Solution or Workaround

  1. Edit the SHIBBOLETH_HOME/conf/saml-nameid.xml file and replace this section:
<!--

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"

   p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

   p:attributeSourceIds="#{ {'mail'} }" />

-->

with the following:

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"

            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

            p:attributeSourceIds="#{ {'your-name-id-attribute'} }" />
  1. Restart the Shibboleth daemon (Linux) or service (Windows).

Related Information

Last Published: 7/22/2021

Article ID: 000026099

Software: Portal for ArcGIS 10.9, 10.8.1, 10.8, 10.7.1, 10.7