When Trying To Login In To A QlikSense SAML/Asgardeo Virtual Proxy I Get A "SAML mandatory attribute for user ID is missing" Error Message
I have set up an SAML Application in Asgardeo. I have set-up a corresponding Virtual Proxy in QlikSense (using SHA-256) so we can use this for SSO.
When I try to log-in I get an error message: "400 - Bad Request "Contact your system administrator. The user cannot be authenticated or logged out by the SAML response through the following virtual proxy:...." and in the Audit Proxy log I see the following entry: "SAML mandatory attribute for user ID is missing". When I look at the SAML Assertion via SAML Tracer, i do not see any Attribute nor NameID entries.
The IDP Metadata file does not contain any Attribute nor NameID entries. I read somewhere that these were not necessary for this to work.
I do not think it is a certificate issue - we have a similar set-up for an auth0 application, also using SHA-256, and that works perfectly.
It does seem that that Attribute statements are not required in the IDP metadata file but the NameID statements are required. I have no idea why Asgardeo is not generating them.
We have managed to get this working by carrying out the following steps:
the attributeConsumingServiceIndex value on the Asgardeo side was incorrect - it was 242316971 when it should have been 1
changing this setting needs to take place via calling Asgardeo APIs
first, you need to get an access token (using the correct scope values "internal_application_mgt_update internal_application_mgt_create internal_application_mgt_delete internal_application_mgt_view")
with the access token, you can then amend the setting
when attributeConsumingServiceIndex has been successfully changed. you need to ensure that in the QlikSense Management Console, the corresponding Virtual Proxy contains "SAML attribute for user ID" & "SAML attribute" values for the Subject attribute that begin with "http://wso2.org/claims/"
