Since the release of OnDemand 2.0 we’ve been focusing on getting it integrated with ADFS. We’ve been following the guide here: SAML Authentication with Active Directory Federated Services (ADFS) and mod_auth_mellon — Open OnDemand 1.8.12 documentation. I followed it exactly with the exception of this discussion in which reply #7 says to switch the arguments for the Mellon metadata generation. This extra step seems to have gotten us started.
I have given our .pfx and metadata to our administrator who has imported that info. However we are now having issues getting the server to accept logins. In the logs I get the following error:
[auth_mellon:error] [pid 7990] [client nnn.nnn.nnn.nnn:60506] Error processing authn response. Lasso error: [-432] Status code is not success, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Requester", StatusCode2="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy", StatusMessage="(null)", referer: https://adfs.domain.edu/
The issue seems to be “InvalidNameIDPolicy”.
At our site the sAMAccountname is used. Our administrator has tried setting the LDAP Attribute to sAMAccountname with the outgoing claim type of Name ID, however when signing in we get the same error message as above in the logs and " Unauthorized. This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required." for the browser.
Any assistance with this would be appreciated. Wondering if anyone else has this set up at their site and what changes, if any, were needed to get this to work.