Getting "Unable to resolve outbound message endpoint", but endpoint is in metadata
Peter Schober
peter.schober at univie.ac.at
Tue Feb 27 10:38:28 EST 2018
* shibboleth655 at lewenberg.com <shibboleth655 at lewenberg.com> [2018-02-27 16:22]:
> Does this mean that a line such as this
>
> <AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> Location="https://xxxxx.example.edu/fom/loginSAML" isDefault="true"
> index="0"/>
>
> that I sometimes find in SP metadata submitted to our local SAML
> federation is invalid?
The spec is clear on this: "HTTP-Redirect MUST NOT be used" for the reponse.
"the identity provider issues a <Response> message to be delivered
by the user agent to the service provider. Either the HTTP POST, or
HTTP Artifact binding can be used to transfer the message to the
service provider through the user agent. [...] The HTTP Redirect
binding MUST NOT be used, as the response will typically exceed the
URL length permitted by most user agents."
https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf
Lines 476-480 in the "Merged/Errata Composite" version.
That probably means the SP metadata asking the IDP to do something not
allowed by the spec is "invalid", yes. Not in the XSD schema-valid sense.
The purpose of the metadata here is to /authorize/ the location of an
incoming Authentication Request. That purpose is also fulfilled with a
not-legal-per-the-spec use of a protocol binding, I guess.
In the example you sent the requested binding was HTTP-POST, though,
so having HTTP-Redirect in metadata is simply wrong.
I have no idea what the Shib IDP would do if the SP requested
HTTP-Redirect for the reponse (and the metadata the IDP had on record
for that SP also "authorized" that via an ACS element as above).
Would it make the IDP use the HTTP-Redirect binding for the response?
Would the IDP simply abort due to errors?
Seems you should know that already.
-peter
More information about the users
mailing list