Asana general instructions are at https://asana.com/guide/help/premium/premium-organizations#gl-saml.  Unfortunately, their manual config instructions are an outdated google doc with screenshots of how to configure ADFS.  Here's the info you need for Shibboleth:

 

  1. EntityID is https://app.asana.com/
  2. Send the user's email address as the NameID using 
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  3. Asana does not support encrypting assertions or responses – don't try it

  4. In Asana, configure the HTTP-Redirect URL as the sign-on URL

 

Here's metadata for Asana since they don't provide any.

 

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.asana.com/">
        <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
                <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.asana.com/-/saml/consume" index="0"/>
        </md:SPSSODescriptor>
</md:EntityDescriptor>