In case of a "hub and spoke" federation the federation coordinator may require that the IdP administrators explicitly request to connect to a SP and let their users to authenticate on these SP.
In most of the cases this is not a configuration problem neither for the RCIAM service nor for the Identity provider. The connection needs to be implemented in the hub and spoke IdP Proxy.
One example of such federation is SURFconext, the national IdP federation for research and education in the Netherlands operated by SURFnet. If you are using credentials from a Dutch IdP in eduGAIN, you or your IdP administrators need to request the connection. The following steps will lead you to perform the connection:
- Connect to SURFconext dashboard
- Search for "RCIAM AAI Service provider proxy"
- If the service does not show in the search, you need to ask SURFnet to add
it in the dashboard, please write to
support at surfconext dot nl
- If the service does not show in the search, you need to ask SURFnet to add it in the dashboard, please write to
- In the dashboard, near the "RCIAM AAI Service provider proxy" there should be a "Connect" button, this will create a service ticket and the SURFconext team will make the connection active.
- After you received confirmation that the "RCIAM AAI Service provider proxy" is accessible, you will be able to login in RCIAM
opensaml::FatalProfileException at (https://rciam.example.org/registry.sso/SAML2/POST)SAML response reported an IdP error.Error from identity provider:Status: urn:oasis:names:tc:SAML:2.0:status:Responder
The Responder error status is typically returned from ADFS-based IdP implementations (notably Microsoft ADFS 2.0 and ADFS 3.0) that cannot properly handle Scoping elements. RCIAM can be configured to omit the scoping element from the authentication requests sent to such IdPs in order to allow successful logins. Please contact the RCIAM support team and include a screenshot of your error.
To update your certificate information, follow these steps to log into your RCIAM profile page using your IGTF certificate:
- Click here to access your profile page
This may log you out of any service you have accessed with RCIAM on this browser!
- On the RCIAM identity provider discovery page, select IGTF
If prompted to log in with a different identity provider, click CHOOSE ANOTHER ACCOUNT and then select IGTF. Alternatively, you can click here for your convenience