Exception (on SP):
com.sun.identity.saml2.common.SAML2Exception: This Assertion Consumer Service is not the intended recipient.
Some lines before (note the realm '/'):
2016-08-24 13:30:22,677 DEBUG [TRC - DEFAULT - SID: 4f1137640a1410f4c5d9be53eeea7881 - RID: V70LvMCoSm8AANanihQAAAEz] | 001 FedLib: SAML2Utils: getAllAttributeValueFromSSOConfig : realm - /
Reason 1:
the location of the AssertionConsumerService in sp.xml doesn't contain the configured metaAlias.
Solution 1:
add the meta alias, i.e.
- old: Location="https://<FQDN>/sp-login/SPAcs/" index="0" />
- new: Location="https://<FQDN>/sp-login/SPAcs/metaAlias/iamSpM" index="0" />
with "iamSpM" been defined as metaAlias in sp-extended.xml (<SPSSOConfig metaAlias="/iamSpM">).
Reason 2:
entityID between IAM SAML SP configuration, sp.xml and sp-extended.xml on both SP and IdP side don't match.
Solution 2:
correct these IDs if necessary; if sp*.xml have been adjusted, also restart the IAM instance.