Internal SP Using HTTP-Redirect instead of HTTP-POST

Garmer, Jack - garmercj garmercj at
Thu May 23 18:37:45 EDT 2019

Good Evening!

In an effort to create a uniform login experience, complete with MFA, our organization has opted to deploy internal SPs. I'm working with a colleage on setting up one of our first SPs and I'm running into a snag that I can't find the answer to via normal channels. I'm hoping someone here can assist.

We're attempting to authenticate against our development idp environment, In the shibd.log on the SP side, we're seeing this:

2019-05-23 18:26:38 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [2] [default]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="" Destination= ID="_1648fa9b7458e5bb02050562e7902c54" IssueInstant="2019-05-23T22:26:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>

And the SP transaction log shows this:

                2019-05-23 18:26:38|Shibboleth-TRANSACTION.AuthnRequest|||||||||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect||||||

On the idp side, we see this:

DEBUG Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither candidate endpoint location '' nor response location 'null' matched ''

It appears the SP is sending requests to HTTP-Redirect on our idp and I can't figure out why. The metadata on both instruct HTTP-POST as the primary protocol:

                <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="0" isdefault="true"/>


        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location=""/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=""/>

If I remove the HTTP-POST-SimpleSign and HTTP-Redirect lines from the idp metadata on the SP, I get an HTTP-POST transaction on the SP, but a similar candidate mismatch error on the idp side. What config files should I be paying attention to that would control this behavior? Relying-parties.xml is configured similarly to other SPs we have in place and makes no mention of using HTTP-Redirect. Shibboleth2.xml also makes no mention of HTTP-Redirect.

Thank you for your time!

Jack Garmer
Linux Systems Administrator
James Madison University
o. 540-568-4235

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list