"Unknown Profile Attribute" with shibboleth as IDP

I want to use Okta as an OIDC on top of SAML2/shibboleth (my university is using shibboleth).

I have created my SAML2 identity provider.
I am being redirected to my university login page.

But then Okta returns a 400.

Your request resulted in an error.


The logs are not super informative:

    • DebugData
      * AttributeNames [urn:oid:0.9.2342.19200300.100.1.3, urn:oid:, urn:oid:2.16.840.1.113730.3.1.241, urn:oid:, urn:oid:, urn:oid:, urn:oid:, urn:oid:, urn:oid:, urn:oid:, urn:oid:]
      * RequestId Xk9ccKP1okXzdnl3s9jGDwAAAZ0
      * RequestUri /sso/saml2/0oa2cyy7h5oknbsGV4x6]
      * ThreatSuspected false
      * Url /sso/saml2/0oa2cyy7h5oknbsGV4x6?
  • LegacyEventType core.user_auth.idp.saml.unknown_profile_attribute

Given that shibboleth has been around for a while, I am surprised that the default attribute mapping does not work out of the box.

Has anyone been successful interfacing with shibboleth?
Is there a mapping I could borrow?

I have created my own mappings.

I am still getting a failure : Unknown Profile Attribute error.

But the log now shows my email address and triggers another error: failure : Unable To JIT