"Unknown Profile Attribute" with shibboleth as IDP

Questions
1

I want to use Okta as an OIDC on top of SAML2/shibboleth (my university is using shibboleth).

I have created my SAML2 identity provider.
I am being redirected to my university login page.

But then Okta returns a 400.

Your request resulted in an error.

Error Code: GENERAL_NONSUCCESS

The logs are not super informative:

    • DebugData
      * AttributeNames [urn:oid:0.9.2342.19200300.100.1.3, urn:oid:1.3.6.1.4.1.5923.1.1.1.1, urn:oid:2.16.840.1.113730.3.1.241, urn:oid:1.3.6.1.4.1.5923.1.1.1.6, urn:oid:1.3.6.1.4.1.5923.1.1.1.5, urn:oid:2.5.4.42, urn:oid:1.3.6.1.4.1.5923.1.1.1.3, urn:oid:2.5.4.4, urn:oid:2.5.4.3, urn:oid:1.3.6.1.4.1.5923.1.1.1.9, urn:oid:1.3.6.1.4.1.5923.1.1.1.7]
      * RequestId Xk9ccKP1okXzdnl3s9jGDwAAAZ0
      * RequestUri /sso/saml2/0oa2cyy7h5oknbsGV4x6]
      * ThreatSuspected false
      * Url /sso/saml2/0oa2cyy7h5oknbsGV4x6?
  • LegacyEventType core.user_auth.idp.saml.unknown_profile_attribute

Given that shibboleth has been around for a while, I am surprised that the default attribute mapping does not work out of the box.

Has anyone been successful interfacing with shibboleth?
Is there a mapping I could borrow?

2

I have created my own mappings.

I am still getting a failure : Unknown Profile Attribute error.

But the log now shows my email address and triggers another error: failure : Unable To JIT