SP Initiated SSO – Unable to do sso or federation

Posted by niadsystems

I am using ForgeRock Access Management as the Identity Provider with an ASP.NET Webforms application as the Service Provider. I am doing an SP initiated SSO. SP is setup as a Remoted Identity Provider, and IDP is setup as a hosted Identity Provider. I have set up identities using the embedded OpenDJ identity store.

The following error is generated in the Federation log after the SP initiates the SSO, and when the IDP is trying to connect to the AssertionConsumerService.

Any inputs would be appreciated.

DEBUG: DoManageNameID.removeIDPFedSession trying to remove entity=http://NiadServiceProvider, nameID=MQn1laR0S3KpqCVnB2AiZvklmWy7 from IDP session cache
o.f.o.s.UtilProxySAMLAuthenticatorLookup: 2022-03-02 17:16:03,024: Thread[http-nio-8080-exec-8]: TransactionId[cee84c25-fa5b-408c-aea6-883ff540f925-548093]
ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.

3 Mar

What NameID format is being requested by the SP?
Do you have a mapping for that value in the ‘NameID Format List’ in the IDP config?
See NameID Format List here:

1 Like

In addition to @andrew.potter’s suggestion, please also share your SAML2 AuthN request. The request will help understand the “NameID” being requested.