Are you using the instructions here?
I've helped one or two UK federation IdP operators with this; one
particular thing that I recall being a stumbling block was the "IdP
Login URL:" configuration on the dashboard. What they actually want here
is the IdP's HTTP-POST URL; I think some people put the IdP's login page
here, which doesn't work. And so you should select HTTP-POST as the IdP
For some reason username needed to be selected in User Login Setting for
things to work even though people were generally using an email address
as a username.
Another thing to look out for is that the username (which I think was
actually an email address, though username was selected as the User
Login Setting) needs to be sent in the Subject NameID. The documentation
says it needs to have the format "unspecified", but that doesn't
actually work. It needs to be persistent or transient, ie.
or this: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
There is some useful information about the Shibboleth IdP configuration
in this thread on Shibboleth users:
On 15/07/2016 11:40, Martin Sherrit wrote:
> I am currently attempting to set up a Federated ID for Adobe CC.
> So far I have managed to use Adobe Enterprise Dashboard to configure
> the Adobe supplied OKTA SP and can see "successful" logins on our
> I can login with an Enterprise ID to Adobe, and login via shibboleth,
> but at this point I get a 400 bad request error, with the error code,
> I have run the SAML tracer tool, and can see that we are releasing
> Email, Firstname and Lastname as required.
> Any advice on where I have gone wrong with the configuration would be
> gratefully received.
UK Access Management Federation for Education and Research
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.