Response samlResponse = getResponse(input);
Assertion assertion = verifyAssertion(samlResponse);
String assertionId = assertion.getID();
DateTime samlIssueInstant = assertion.getIssueInstant();
Issuer samlIssuer = assertion.getIssuer();
String samlIssuerVal = samlIssuer.getValue();
Subject samlSubject = assertion.getSubject();
NameID samlNameId = samlSubject.getNameID();
String samlNameVal = samlNameId.getValue(); // This is the source of the NPE
So my mistake is my AD FS did not produce Name ID in the SAML response.
Setting a rule to return “Name ID” does the trick. My dummy rule got fired and I was logged into IdentityIQ as spadmin.
Next is to find out which item in AD FS corresponds to IdentityIQ’s email… previously when I do that, AD FS reports that it is unable to fulfill the request.
EDIT: The thing with email is:
- With that setting, IdentityIQ is expecting Name ID is in the format of email.
- On AD FS side, I need to return AD’s email attribute as email address. Then add another rule to transform email address to Name ID.