IDP response message type on SP missing in metadata

Rainer Hoerbe rainer at
Mon May 16 14:28:27 EDT 2016

When an SP is sending an AuthnRequest to a Shib IDP, and the IDP cannot locate the SP’s entityID in its metadata, it will return an HTTP 400 with "The application you have accessed is not registered for use with this service“ in the body. I wonder if this is spec-comliant, because SAML core is saying:
"The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message containing one or more assertions that meet the specifications defined by the request, or with a<Response> message containing a <Status> describing the error that occurred."

Wouldn’t an XML <Response> be the correct answer? 

- Rainer

More information about the users mailing list