Getting "Unable to resolve outbound message endpoint", but endpoint is in metadata
shibboleth655 at lewenberg.com
shibboleth655 at lewenberg.com
Tue Feb 27 10:21:43 EST 2018
Does this mean that a line such as this
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://xxxxx.example.edu/fom/loginSAML" isDefault="true"
index="0"/>
that I sometimes find in SP metadata submitted to our local SAML
federation is invalid?
On 2/26/2018 10:17 AM, Peter Schober wrote:
> * shibboleth655 at lewenberg.com <shibboleth655 at lewenberg.com> [2018-02-26 19:07]:
>> 2. When doing an SP-initiated authentication, the IdP generates this error:
>> [...]
>> PopulateBindingAndEndpointContexts: Unable to resolve outbound message
>> endpoint for relying party 'https://xxxxx.example
>> .edu/fom/loginSAML': EndpointCriterion
>> [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService,
>> Binding=urn:oasi
>> s:names:tc:SAML:2.0:bindings:HTTP-Redirect,
>> Location=https://xxxxx.example.edu/fom/loginSAML, trusted=false]
>
> The SP is broken as it requests the HTTP-Redirect protocol binding to
> be used for the reponse, which isn't legal for SAML WebSSO, IIRC.
>
> The literal error above though means that what the SP requested (that
> URL with that binding) does not match what you have in metadata:
>
>> Here is the SP's metadata: [...]
>> <md:AssertionConsumerService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>> Location="https://xxxxx.example.edu/fom/loginSAML" isDefault="true"
>> index="0"/>
>
> Here there's only the HTTP-POST binding, but requested was
> HTTP-Redirect, ergo the mismatch.
>
> -peter
>
More information about the users
mailing list