Unable to decode incoming request

Tom Scavo trscavo at gmail.com
Tue Mar 13 12:38:34 EDT 2018

On Tue, Mar 13, 2018 at 12:19 PM, Tom Scavo <trscavo at gmail.com> wrote:
> On Tue, Mar 13, 2018 at 11:43 AM, Michael Dahlberg <olgamirth at gmail.com> wrote:
>> I've
>> checked the X509 cert in their metadata and it looks good.  Are there any
>> other reasons why the IdP would be unable to decode the request?
> You don't give enough information for me to be sure but my guess is
> that the IdP is rejecting a signature based on the SHA-1 digest
> algorithm.

You can easily check this by inspecting the signature itself (not the
signing certificate in metadata). What are the values of the following
attributes in the signed AuthnRequest?


If the value of either attribute indicates SHA-1, that is your
problem. The easiest thing to do is just stop signing the request.


More information about the users mailing list