SAML AuthnRequest not accepted

[Brent Putman]

On 11/5/14 7:06 PM, Andrew Morgan wrote:
> On Wed, 5 Nov 2014, Cantor, Scott wrote:
>
>> On 11/5/14, 11:11 PM, "Andrew Morgan" <morgan at orst.edu> wrote:
>>> ERROR [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:200] -
>>> SAML message intended destination endpoint URI required by binding was
>>> empty
>> That's a missing Destination attribute, so...
>>
>>> Here is the working SAML from the prod instance:
>> That is in fact not a working message. The one that worked had a
>> Destination attribute in the root element.


Had to dig on this one....  Per the SAML 2 core and bindings specs, the
Destination is only required to be present if the message is signed.  
So OpenSAML implements it that way:  If the message is signed it's an
error for it to be absent; if it's unsigned then it's optional.  In both
cases, when it is present, it must be valid or else that's also an error.



>
> If you'd like to capture the SAML request yourself, here are the URLs:
>
>    beta (failing): https://oregonstate.beta.instructure.com/login
>
>    prod (working): https://oregonstate.instructure.com/login
>
>
> Both of them are missing the Destination attribute.  I'm using IDP v2.4.0.



Yeah, looking at the raw protocol trace is the key here. The difference
is that in prod, they're not signing.  In beta they are, using of course
the Redirect binding signature - which you don't see in the XML, it's a
query parameter. (In SAML Tracer, look on the Parameters tab).  So for
the beta, the presence of the signature + absence of Destination is
causing the error.  This is a bug on their side, clear violation of the
spec.  They'll need to fix it, nothing you can do about it from your end
(except bug them).

--Brent



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141105/430924d2/attachment.html