Hi @apickelsimer,
I have the same problem. This is my SAML Validation policy:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ValidateSAMLAssertion ignoreContentType="false" name="Validate-SAML-Assertion">
<DisplayName>Validate SAML Assertion</DisplayName>
<Source name="request">
<Namespaces>
<Namespace prefix="soap">http://schemas.xmlsoap.org/soap/envelope/</Namespace>
<Namespace prefix="wsse">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
<Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
</Namespaces>
<XPath>/samlp:Response/saml:Assertion</XPath>
</Source>
<Description/>
<TrustStore>saml-idp</TrustStore>
<RemoveAssertion>true</RemoveAssertion>
</ValidateSAMLAssertion>
Here a sample SAML assertion:
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2dad8efec11eafc208c43087333f19d0698ad6a92" InResponseTo="a101ee8781f29g8b4jej79bcgebi192" Version="2.0" IssueInstant="2023-02-03T14:21:14Z" Destination="https://iit.authentication.eu20.hana.ondemand.com/saml/SSO/alias/iit.azure-live-eu20">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sso-ppd.my_company.com/idp/openam
</saml:Issuer>
<samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s2afe1937676055d56d4734dd3ceb079ae65e019b0" IssueInstant="2023-02-03T14:21:14Z" Version="2.0">
<saml:Issuer>https://sso-ppd.my_company.com/idp/openam</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#s2afe1937676055d56d4734dd3ceb079ae65e019b0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>VooWgzv2r74obYCjt0IZx2+luEKfgy8Xr06bsUO6c8c=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
S1Dfggyd9yTFcbpyqLzuDJc3fsS4z8FR7KYWUKxJNSIqH1xSMCDOjAnXnGCmhOh95oY5Ll2+4Xy3
CRpj9u94SlvdOVATWEnOnIoZniZ1RkeOEc3EKPqRqy8BIvSQFnH+vrSICfg6p+Qp4k5d6Ho+WojH
GDVqPckj+9AVYbqAvNhTbWwDVMry/TNNAaD8muJtY6kMkFC8HuZ/K/xqxKCPMirDwwnY7cxGIuw6
kdpkIqKnq55DZQAnHHENqiYqgA/2sDKaRLn5CPIRjPRiY+j5nyVKRtQoU26rir20kaTV0mTRkO5d
hbUvScBuNoIRNt5YH/AaqvvH3bqfkg2z/8/I5A==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDdTCCAl2gAwIBAgIEPA8XezANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJGUjEMMAoGA1UE
CBMDSURGMQ4wDAYDVQQHEwVNYXNzeTESMBAGA1UEChMJQ2FycmVmb3VyMQwwCgYDVQQLEwNHTlQx
HDAaBgNVBAMTE1NpZ25pbmcgS2V5IFByZVByb2QwHhcNMTYxMjI2MTI1NzI3WhcNMjYxMjI0MTI1
NzI3WjBrMQswCQYDVQQGEwJGUjEMMAoGA1UECBMDSURGMQ4wDAYDVQQHEwVNYXNzeTESMBAGA1UE
ChMJQ2FycmVmb3VyMQwwCgYDVQQLEwNHTlQxHDAaBgNVBAMTE1NpZ25pbmcgS2V5IFByZVByb2Qw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC//WFp7gJLGCa0+w4qBTESHF5nqqTYdSZM
qW0U1/s4aPg8BQvf7gDkjVsUMgcbix4m8kDhH0gVAjnvWPlBxJXWUMKf7l+eZUrmiEtWI2UP5uT4
hXN9FOy0m03looCi3K1faLfGTYN3zXFSnwBXbtxKalr6ZpCeAv8+lfnrPYlnvL3uviXHDvENY4+M
G6XnDOLZH3Bokv2vnc6l7sWbta0Rr8nUyzgxnTRBPK4+F4imUJm3ZR5VCv0RNwkZkOxnRujjHaKX
M0sP/+V32edlqPQB/IhrMndltbwr9n91dOq7G+ZH6uWJuLihZl2DCDa1+EAOVLN0QgQWOwQLFrrG
ejBTAgMBAAGjITAfMB0GA1UdDgQWBBTymeWZ3QWkMh4mySOR7gDzKUXLWzANBgkqhkiG9w0BAQsF
AAOCAQEAPlAUbh02pmiAbJ1U+GuIcinQLwdeD9Bz8R3+uTjKf63Av+Hxke9xlXV7ZPnRPNogYKAm
6lly72V6MJ052RDF9C6V22e21JAQReXB8hWGAIbD2HOf3nJhw3cB1CvAxvFPHiAzclpSoCiu/mUH
VX82zVLvB5M0fEStoi/95XMvdNTmEqbQuxiAbM6qCI8GXyK6oHhy8YqKfm18mDtNqNsuw0qTMf1H
MpivYMuczBusz/f46RtVkbhWlgYe5JYUkKt/m+2OD2K1NbH7DLZa+zy/QmBvvIxraovhmpW3U2j/
XAFtVXOL5Pln23c1L9c9BzqGMMDHu3v98w65aoJI1FMkiQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://sso-ppd.my_company.com/idp/openam" SPNameQualifier="https://iit.authentication.eu20.hana.ondemand.com">my_user</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="a101ee8781f29g8b4jej79bcgebi192" NotOnOrAfter="2023-02-03T14:31:14Z" Recipient="https://iit.authentication.eu20.hana.ondemand.com/saml/SSO/alias/iit.azure-live-eu20"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2023-02-03T14:11:14Z" NotOnOrAfter="2023-02-03T14:31:14Z">
<saml:AudienceRestriction>
<saml:Audience>https://iit.authentication.eu20.hana.ondemand.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2023-02-03T14:21:13Z" SessionIndex="s22151a291b67897a999073befa7435bb136c72001">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my_user
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="cn">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SEDE Utente
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sn">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SEDE
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my_user@dev.my_company.com
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="givenName">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Utente
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Thanks for helping me.
LinkedIn
Twitter
