<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p><br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 5/25/16 12:12 PM, Cantor, Scott
      wrote:<br>
    </div>
    <blockquote cite="mid:AFBDFD94-BB43-4E40-A4D1-3B595B415735@osu.edu"
      type="cite">
      <pre wrap="">
</pre>
      <pre wrap="">
That's signed XML. The bug didn't apply to that case, it was breaking on signed redirects.
</pre>
    </blockquote>
    <br>
    I noticed that the AuthnRequest has both
    AssertionConsumerServiceIndex and AssertionConsumerServiceURL, BUT
    no ProtocolBinding.  Because of the absence of the binding, perhaps
    the URL can't be effectively evaluated? And if there's no metadata
    corresponding for that index then it wouldn't work either?  Just
    speculating.<br>
    <br>
    At the very least that request seems malformed, since per Core index
    is mutually exclusive with URL + binding.<br>
    <br>
  </body>
</html>