I'd recommend starting by tracing the SAML AuthN request and Assertion via your browser first (you'd want to install something like this in Chrome/Edge to do this:
https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en-US). That way you can determine what's going wrong.
If it's working as IdP initiated but not SP initiated, that usually means something's wrong with the TAI config. I'd bet your URL filter isn't working correctly (that's the problem I usually have) b/c if you're following these instructions:
https://www.ibm.com/support/pages/node/595209 and you used the example values provided, you'd find that:
sso_1.sp.filter : request-URL%=navigator
doesn't work b/c the parameter "request-url" is case sensitive and should be all lower case. WAS does not provide terribly helpful errors for this problem in my experience (last time I saw it, it presented like this APAR, but the problem was a bad filter statement after doing a much deeper trace:
https://www.ibm.com/support/pages/apar/PI48360)
------------------------------
Eric Walk
Senior Technical Architect
O: 617-453-9984 M: 617-855-9255 | NASDAQ: PRFT | Perficient.com
------------------------------
Original Message:
Sent: Mon July 06, 2020 02:40 AM
From: Benjamin Just
Subject: Using SAML SP initiated with ICN
Hi Gerold,
thanks for you feedback. But how did you setup the SAML request in your custom JAVA code, that the IDP returns to a default page and not to that page the is stored in the session cookie. I'm only struggeling with SP initiated SAML. With IDP initiated it is no big deal because here I just can define the Relaystate URL an ICN/WAS is called from IDP with the authentication credentials.
------------------------------
Benjamin Just
Original Message:
Sent: Mon July 06, 2020 02:17 AM
From: Gerold Krommer
Subject: Using SAML SP initiated with ICN
Sure. Using PingFederate, ADFS and a third one that for my life I cannot remember.
This has been alwas a few days of lots of reading and then frustrating debugging. I'm sure error.jsp came up a few times.
But in the end we got it working.
Does the test logon application (that I also cannot remember what ir was) work?
It is always WAS which does the authentication and this is then passed to ICN... so it it not ICNs fault...
/Gerold Krommer
------------------------------
Gerold Krommer
Original Message:
Sent: Fri July 03, 2020 08:36 AM
From: Benjamin Just
Subject: Using SAML SP initiated with ICN
Hi Folks,
did anybody implemented ICN with SAML SP initiated authentication and run in the issue that ICN directly routes the user to the /error.jsp after loading the ICN url?
------------------------------
Benjamin Just
------------------------------