Getting "Unable to resolve outbound message endpoint", but endpoint is in metadata

shibboleth655 at shibboleth655 at
Tue Feb 27 10:21:43 EST 2018

Does this mean that a line such as this

Location="" isDefault="true" 

that I sometimes find in SP metadata submitted to our local SAML 
federation is invalid?

On 2/26/2018 10:17 AM, Peter Schober wrote:
> * shibboleth655 at <shibboleth655 at> [2018-02-26 19:07]:
>> 2. When doing an SP-initiated authentication, the IdP generates this error:
>> [...]
>>   PopulateBindingAndEndpointContexts: Unable to resolve outbound message
>> endpoint for relying party 'https://xxxxx.example
>> .edu/fom/loginSAML': EndpointCriterion
>> [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService,
>> Binding=urn:oasi
>> s:names:tc:SAML:2.0:bindings:HTTP-Redirect,
>> Location=, trusted=false]
> The SP is broken as it requests the HTTP-Redirect protocol binding to
> be used for the reponse, which isn't legal for SAML WebSSO, IIRC.
> The literal error above though means that what the SP requested (that
> URL with that binding) does not match what you have in metadata:
>> Here is the SP's metadata: [...]
>>      <md:AssertionConsumerService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>> Location="" isDefault="true"
>> index="0"/>
> Here there's only the HTTP-POST binding, but requested was
> HTTP-Redirect, ergo the mismatch.
> -peter

More information about the users mailing list