SAML AuthnRequest not accepted

[Andrew Morgan]

Thanks for digging into this everyone.  I forwarded this information to 
Canvas, and they are fixing their code/config.

 	Andy

On Wed, 5 Nov 2014, Brent Putman wrote:

>
> On 11/5/14 7:06 PM, Andrew Morgan wrote:
>> On Wed, 5 Nov 2014, Cantor, Scott wrote:
>>
>>> On 11/5/14, 11:11 PM, "Andrew Morgan" <morgan at orst.edu> wrote:
>>>> ERROR [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:200] -
>>>> SAML message intended destination endpoint URI required by binding was
>>>> empty
>>> That's a missing Destination attribute, so...
>>>
>>>> Here is the working SAML from the prod instance:
>>> That is in fact not a working message. The one that worked had a
>>> Destination attribute in the root element.
>
>
> Had to dig on this one....  Per the SAML 2 core and bindings specs, the
> Destination is only required to be present if the message is signed.
> So OpenSAML implements it that way:  If the message is signed it's an
> error for it to be absent; if it's unsigned then it's optional.  In both
> cases, when it is present, it must be valid or else that's also an error.
>
>
>
>>
>> If you'd like to capture the SAML request yourself, here are the URLs:
>>
>>    beta (failing): https://oregonstate.beta.instructure.com/login
>>
>>    prod (working): https://oregonstate.instructure.com/login
>>
>>
>> Both of them are missing the Destination attribute.  I'm using IDP v2.4.0.
>
>
>
> Yeah, looking at the raw protocol trace is the key here. The difference
> is that in prod, they're not signing.  In beta they are, using of course
> the Redirect binding signature - which you don't see in the XML, it's a
> query parameter. (In SAML Tracer, look on the Parameters tab).  So for
> the beta, the presence of the signature + absence of Destination is
> causing the error.  This is a bug on their side, clear violation of the
> spec.  They'll need to fix it, nothing you can do about it from your end
> (except bug them).
>
> --Brent
>
>
>
>