I am creating a service provider in python using the Pysaml2 library. I am trying to send an AuthnRequest to Okta which is my identity provider. My AuthnRequest looks like this:
<ns0:AuthnRequest AssertionConsumerServiceURL="http://myserviceprovider:8000/saml/acs"
Destination="https://oktapreview.com/app/myserviceprovider/k40ctg3zVVFQYUMEJFTB/sso/saml"
ID="id-02a0e2290bbc7fda421483af6b02a9a5" IssueInstant="2015-01-20T22:57:02Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">http://myserviceprovider:8000/metadata.xml</ns1:Issuer>
<ns0:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</ns0:AuthnRequest>
My SP initiates a 302 redirect to the okta idp and sends this saml request. I am then presented with a login page where I enter my Okta credentials. I am then taken to okta.com/app/UserHome (which is Okta's homepage) and do not recieve any SAML assertion back to my SP's assertion consumer service endpoint.
I verify the SAML activity using SAML Tracer in Firefox.
After looking at many other SAML AuthnRequests from other Service Providers (such as box.net) I come to think that perhaps the xml namespace of my AuthNRequest is causing okta not to send back an acs assertion.
My namespace is 'ns0' and 'ns1' instead of 'saml2p' and 'samlp'.
Would this cause the problem?
Any other recommendations on building a service provider with pysaml2 would also be appreciated.
