SAML message intended destination endpoint did not match the recipient endpoin

Gustavo Duarte gus.duarte at gmail.com
Wed Mar 11 11:32:28 EDT 2020 

Hi all,

I'm new on Shibooleth world.
I installed and configured an IDP on a Linux server Ubuntu 16.04, following
this guide:
https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-fedops/HOWTO-Shibboleth/Identity%20Provider/Ubuntu/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20IdP%20v3.3.2%20on%20Ubuntu%20Linux%20LTS%2016.04%20with%20Apache2%20%2B%20Jetty9.md

My first attempt was test it with an online SAML2 test tool:
https://samltest.id/start-idp-test/

When tried this test, following error is showed:
"Web Login Service - Message Security Error
The request cannot be fulfilled because the message received does not meet
the security requirements of the login service."

In Shibboleth log, following lines is showed:

2020-03-11 14:32:00,831 - 127.0.0.1 - ERROR
[org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200]
- Message Handler:  SAML message intended destination endpoint '
https://idp.gusduarte.tech/idp/profile/SAML2/Redirect/SSO' did not match
the recipient endpoint '
http://idp.gusduarte.tech/idp/profile/SAML2/Redirect/SSO'


I figured out that the reason of  this error is because there is a
difference on http and https between endpoints  URLs.

But  i don't understand why is happening that.

As you can see in the metadata of my IDP is (bellow without certificate
info), i write "https" on SingleSignOnService.

And the Apache configuration of ProxyReverse is:

<IfModule mod_proxy.c>
    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Proto "https"
    ProxyPass /idp http://127.0.0.1:8080/idp retry=5
    ProxyPassReverse /idp http://127.0.0.1:8080/idp retry=5

    <Location /idp>
       Require all granted
    </Location>
</IfModule>


==================================================
<?xml version="1.0" encoding="UTF-8"?>
<!--
     This is example metadata only. Do *NOT* supply it as is without review,
     and do *NOT* provide it in real time to your partners.

     This metadata is not dynamic - it will not change as your
configuration changes.
-->
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="
http://www.w3.org/XML/1998/namespace"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr"
validUntil="2020-04-10T15:48:54.555Z" entityID="
https://idp.gusduarte.tech/idp/shibboleth">

    <IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">gusduarte.tech</shibmd:Scope>
<!--
    Fill in the details for your IdP here

            <mdui:UIInfo>
                <mdui:DisplayName xml:lang="en">A Name for the IdP at
idp.gusduarte.tech</mdui:DisplayName>
                <mdui:Description xml:lang="en">Enter a description of your
IdP at idp.gusduarte.tech</mdui:Description>
                <mdui:Logo height="80" width="80">
https://idp.gusduarte.tech/Path/To/Logo.png</mdui:Logo>
            </mdui:UIInfo>
-->
        </Extensions>


        <ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="
https://idp.gusduarte.tech/idp/profile/SAML2/SOAP/ArtifactResolution"
index="1"/>

        <!--
        <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://idp.gusduarte.tech/idp/profile/SAML2/Redirect/SLO"/>
        <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://idp.gusduarte.tech/idp/profile/SAML2/POST/SLO"/>
        <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://idp.gusduarte.tech/idp/profile/SAML2/POST-SimpleSign/SLO
"/>
        <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="
https://idp.gusduarte.tech:8443/idp/profile/SAML2/SOAP/SLO"/>
        -->

        <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
req-attr:supportsRequestedAttributes="true" Location="
https://idp.gusduarte.tech/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
req-attr:supportsRequestedAttributes="true" Location="
https://idp.gusduarte.tech/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
req-attr:supportsRequestedAttributes="true" Location="
https://idp.gusduarte.tech/idp/profile/SAML2/Redirect/SSO"/>

    </IDPSSODescriptor>


    <AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">gusduarte.tech</shibmd:Scope>
        </Extensions>


        <AttributeService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="
https://idp.gusduarte.tech/idp/profile/SAML2/SOAP/AttributeQuery"/>
        <!-- If you uncomment the above you should add
urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration
above -->

    </AttributeAuthorityDescriptor>

</EntityDescriptor>
=======================================================


Thanks in advance.

Gustavo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200311/ac284187/attachment.html>

More information about the users mailing list