Value of identitfy subject claim Email could not be fetched from SAML Response
search cancel

Value of identitfy subject claim Email could not be fetched from SAML Response

book

Article ID: 392084

calendar_today

Updated On:

Products

CASB Security Advanced CASB Security Premium CASB Security Standard

Issue/Introduction

When setting up Broadcom SSO using Okta as IDP, you are getting the error in the URL:

INVALID_REQUEST&error_description=value of identify subject claim Email could not be fetched from SAML Response

Cause

This can be caused by the case mismatch of the attribute name. 

Resolution

    • To verify what is the actual attribute sent by Okta, you can use the browser's developer mode to capture the login session:

      1. Open the Browser's developer tools and go to the Network tab.
      2. Attempt to login using the SSO again, look for the ACS call.
      3. copy the SAML response from the Payload tab and paste it to an online SAML response Decoder
      4. Examine the Attribute Name = section
      5. In this case, Okta has sent firstName instead of FirstName, lastName instead of LastName and email instead of Email, that are entered in the Broadcom IDP configuration wizard. Because these are case sensitive, it caused the authentication to fail.
Powered by Wolken Software