SAML SP not working with TestShib

Peter Schober peter.schober at
Thu Nov 27 05:15:04 EST 2014

* Ben Henley <ben.henley at> [2014-11-27 10:33]:
> Our app is known to work with some SAML IdP implementations, but I can't
> work out the correct settings to use with TestShib.
> The SP has settings for SSO URL, SLO URL, Issuer Metadata URL, X509 cert.
> Based on looking at the info in testshib-providers.xml I have tried various
> SSO URLs and they return different errors:

So you're asking what SAML2.0 metadata is and which parts of it map to
what fields in your own software? The former is part of the SAML2.0
specificication (see SAML2.0 Metadata), the latter is not something
anyone else will be able to tell you.

> Using
> Error Message: Error decoding Shibboleth SSO request

You're likely not sending it a Shibboleth SSO request, which is not
the same thing as a SAML2.0 authentication request, but a proprietary
extension for SAML1. I.e., forget about this.

> Using
> Error Message: SAML 2 SSO profile is not configured for relying party

See "SAML 2 SSO profile is not configured for relying party" in
I.e., the IDP doesn't have SAML2.0 metadata for the SP, most likely.

> Using
> Error Message: Error decoding authentication request message

Did did you send there, a SAML2.0 authentication request?
Over/With what protocol binding did you send it?

> What would cause these errors? I have entered the X509 cert from the issuer
> metadata.

You're not saying for what purpose you're using those URLs, I can only
guess from the error messages.
But the main thing is what I said above: The SAML specs has
standardized all relevant info in the SAML2.0 Metadata
specification. It's up to you to understand how to map standardized
elements unto whatever data structures your own implementation uses.

More information about the users mailing list