RobM.62038 (Customer) asked a question.
Does okta support EncryptedAssertion in an inbound federation scenario?
I am currently attempting to integrate a client that uses a third-party IdP into our SP. Login is failing. The okta logs are indicating the following failures:
- Authenticate user via IDP failure: Unknown Profile Attribute
- Authenticate user via IDP failure: User Not Found
- Authenticate user via IDP failure: Unable to match transformed username.
The details within these events don't point me in any particular direction (E.g. What was the unknown profile attribute?)
My Identity Provider is using NameId to determine the okta user but I can't find a NameId in the saml-tracer output for the response message. I see that the IdP's response contained an EncryptedAssertion. Does okta support this out of the box? If so, how do I configure the IdP for this?
This is Alexandru with the Okta Support team.
Please review the following articles:
For the issue "Authenticate user via IDP failure: Unable to match transformed username. "
"Match against: The Okta user property against which the IdP username is compared."
Per your configuration, you would need to specify the attribute to which the users, who are arriving in Okta from the IDP, are being matched against based on their username.
For an in depth look at your issue, I would recommend opening a ticket with us by going to: