SAML AuthnRequest not accepted

Andrew Morgan morgan at orst.edu
Wed Nov 5 18:11:26 EST 2014 

We have multiple instances of Canvas LMS integrated with our Shibboleth 
IDP via InCommon metadata.  Sometime recently, our beta instance of Canvas 
started sending slightly different SAML AuthnRequests, which are causing 
an error in Shibboleth:

ERROR [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:200] - SAML message intended destination endpoint URI required by binding was empty
WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406] - Message did not meet security requirements
org.opensaml.xml.security.SecurityException: SAML message intended destination (required by binding) was not present

Here is the working SAML from the prod instance:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     ID="a5a2807dc857dfeff65a52e6474748817ced253018"
                     Version="2.0"
                     IssueInstant="2014-11-05T19:03:37Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     AssertionConsumerServiceURL="https://oregonstate.instructure.com/saml_consume"
                     >
     <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://oregonstate.instructure.com/saml2</saml:Issuer>
     <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         AllowCreate="true"
                         />
     <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                  Comparison="exact"
                                  >
         <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
     </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>


and here is the failing SAML from the beta instance:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="b1d5fc79a212e6c9f74c998523bba02de3fde40156"
                     Version="2.0"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     AssertionConsumerServiceURL="https://oregonstate.beta.instructure.com/saml_consume"
                     IssueInstant="2014-11-05T19:02:58Z"
                     >
     <saml:Issuer>http://oregonstate.instructure.com/saml2</saml:Issuer>
     <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         AllowCreate="true"
                         />
     <samlp:RequestedAuthnContext Comparison="exact">
         <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
     </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>


I see that the xmlns is defined differently, but I don't know if it is 
incorrect.  Both validate according to xmllint.

I'm already talking to Canvas about it, but I'd like to understand why 
Shibboleth is throwing an error.

Thanks,
 	Andy

More information about the users mailing list