IDP response message type on SP missing in metadata

Cantor, Scott cantor.2 at
Mon May 16 14:42:06 EDT 2016

On 5/16/16, 1:28 PM, "users on behalf of Rainer Hoerbe" <users-bounces at on behalf of rainer at> wrote:

>When an SP is sending an AuthnRequest to a Shib IDP, and the IDP cannot locate the SP’s entityID in its metadata, it will return an HTTP 400 with "The application you have accessed is not registered for use with this service“ in the body. I wonder if this is spec-comliant, because SAML core is saying:
>"The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message containing one or more assertions that meet the specifications defined by the request, or with a<Response> message containing a <Status> describing the error that occurred."
>Wouldn’t an XML <Response> be the correct answer?

The IdP doesn't respond to untrusted endpoints. The logic that would establish the endpoint hasn't run yet, so it couldn't respond even if it were told to (and of course it couldn't do so anyway unless the request contains the endpoint, which admittedly is the normal case).

Also, you're reading core, which is speaking generically. The profile text was modified in E85 to speak to this question and it's worded fairly precisely to allow for this.

-- Scott


More information about the users mailing list