MyAcademicID integration

MyAcademicID requires several attributes to be released. If your identity provider doesn't release them, you won't be able to log in. You can perform a test on MyAcademicID Attribute Release Check to see which attributes are missing. You can also use a browser extension, like SAML-tracer, to debug and see what exactly your identity provider is sending to MyAcademicID.

Critical

Your identity provider should release all required attributes.

Shared in email correspondence with providers.

This issue might be relevant to you if you use CAS (https://github.com/apereo/cas). Version 6.6.8 introduced a bug where the Address in the SubjectConfirmationData started to contain hostname instead of IP address, which violates SAML2 specification and breaks the integration with MyAcademicID. Up to version 6.6.7, this attribute wasn't sent at all, which was OK because it is optional.

Critical

 <saml2:SubjectConfirmationData Address="proxy.prod.erasmus.eduteams.org"
InResponseTo="id-YvP0PC2XE8gCoC3uH"
NotOnOrAfter="2023-09-19T14:34:16.985Z"
Recipient="https://proxy.prod.erasmus.eduteams.org/saml2sp/acs/post"
/>

If you use CAS and the issue is still not fixed, downgrade to version 6.6.7. There is also going to be a configuration option named skipGeneratingSubjectConfirmationAddress (https://apereo.github.io/cas/6.6.x/services/SAML2-Service-Management.html), which could be used as a workaround, but at the time of writing it is still not officialy released.

Shared in email correspondence with providers