Why does the Issuer value change from http://localhost:8080/idp/ to tomcat in the SAMLResponse generated by the PicketLink IDP?

Solution Verified - Updated -

Issue

I am attempting to get the PicketLink IDP working with a Shibboleth SP. The Shibboleth SP is logging the following error:

An Issuer was supplied that conflicts with previous results.

This appears to be happening because the Issuer value changes from http://localhost:8080/idp/ to tomcat (the username I logged into the IDP with) within the SAMLResponse from the IDP:

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/idp/</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_0930f2f3-9932-4e8c-aefe-c8d4967ab923" IssueInstant="2012-04-02T16:40:09.492-05:00" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-formatersistent">tomcat</saml:Issuer>

Notice that the Issuer is included twice in the SAMLResponse from the IDP. The first time the Issuer is http://localhost:8080/idp/, then next time the Issuer is tomcat (the username I logged into the IDP with).

This can be reproduced by hitting the PicketLink IDP and capturing the SAMLResponse that the IDP generates.

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 5.1.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content