Getting "Unable to resolve outbound message endpoint", but endpoint is in metadata

Peter Schober peter.schober at
Mon Feb 26 13:17:09 EST 2018

* shibboleth655 at <shibboleth655 at> [2018-02-26 19:07]:
> 2. When doing an SP-initiated authentication, the IdP generates this error:
> [...]
>  PopulateBindingAndEndpointContexts: Unable to resolve outbound message
> endpoint for relying party 'https://xxxxx.example
> .edu/fom/loginSAML': EndpointCriterion
> [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService,
> Binding=urn:oasi
> s:names:tc:SAML:2.0:bindings:HTTP-Redirect,
> Location=, trusted=false]

The SP is broken as it requests the HTTP-Redirect protocol binding to
be used for the reponse, which isn't legal for SAML WebSSO, IIRC.

The literal error above though means that what the SP requested (that
URL with that binding) does not match what you have in metadata:

> Here is the SP's metadata: [...]
>     <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="" isDefault="true"
> index="0"/>

Here there's only the HTTP-POST binding, but requested was
HTTP-Redirect, ergo the mismatch.


More information about the users mailing list