...
- It suggests you change AuthnRequestsSigned and WantAsssertionsSigned from true to false
- It suggests you remove the NameIDFormat's that it doesn't support, and add the one that it does.
- It provides a signing key which only has 1024-bits, but never signs an AuthnRequest so KeyInfo is not required.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://www.okta.com/saml2/service-provider/xxxxxxxxxxxxxxxxxxxx"><md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adbe-yyyyyyyyyyyyyyyyyyyyyyyy-yyyy-prd.okta.com/auth/saml20/accauthlinktest" index="0" isDefault="true"/></md:SPSSODescriptor><md:Organization><md:OrganizationName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">adbe-yyyyyyyyyyyyyyyyyyyyyyyy-yyyy-prd</md:OrganizationName><md:OrganizationDisplayName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">adbe-yyyyyyyyyyyyyyyyyyyyyyyy-yyyy-prd</md:OrganizationDisplayName><md:OrganizationURL xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">https://www.adobe.com</md:OrganizationURL></md:Organization></md:EntityDescriptor>
|
Profile Requirements
- Supports signed responses, which is the Shibboleth default.
- Encryption is not supported and thus has to be disabled.
...