Quantcast

Request missing SAMLResponse or TARGET form parameters

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Request missing SAMLResponse or TARGET form parameters

Rainer Hoerbe
I ran into a problem in following situation during the setup of a  
native SP (mod_shib 2.2)

After a resource is requested, the SP will issue an AuthnRequest to  
the IDP (Shib 2.1.2). The HTTP-POST request includes following elements:
- form parameter RelayState=cookie:6a3c7a74
- form parameter SAMLResponse=<some good looking XML>
- Cookie shibstate_6a3c7a74=http://sp2.local/bmi.gv.at/viewer.php
- no other query string or form parameter

After receiving the SAMLResponse, the SP issues following error message:

opensaml::BindingException at (http://sp2.local/Shibboleth.sso/SAML/ 
POST)
Request missing SAMLResponse or TARGET form parameters.

I do not understand the mechanism with RelayState (or could not find  
documentation. Do I understand right, that relayState=cookie in  
<SPConfig> will not require a TARGET parameter passed back to the  
AssertionConsumerService?

<SessionInitiator type="Chaining" Location="/Login" isDefault="true"  
id="Intranet"
       relayState="cookie" entityID="http://idp.local/idp/shibboleth">
     <SessionInitiator type="SAML2" defaultACSIndex="1"  
template="bindingTemplate.html"/>
     <SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>

Rainer Hoerbe
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Request missing SAMLResponse or TARGET form parameters

Chad La Joie
No.  Are you using the Shib IdP?

Hörbe Rainer wrote:
> I do not understand the mechanism with RelayState (or could not find
> documentation. Do I understand right, that relayState=cookie in
> <SPConfig> will not require a TARGET parameter passed back to the
> AssertionConsumerService?


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Request missing SAMLResponse or TARGET form parameters

Cantor, Scott E.
In reply to this post by Rainer Hoerbe
Hörbe Rainer wrote on 2009-10-22:
> After receiving the SAMLResponse, the SP issues following error message:
>
> opensaml::BindingException at (http://sp2.local/Shibboleth.sso/SAML/
> POST) Request missing SAMLResponse or TARGET form parameters.

That's a SAML 1 error, so you're mixing protocols, based on the assumption
that you're correct about the request you saw it send. In the case of SAML
1, TARGET is required, which is not the case with RelayState.

> I do not understand the mechanism with RelayState (or could not find
> documentation. Do I understand right, that relayState=cookie in
> <SPConfig> will not require a TARGET parameter passed back to the
> AssertionConsumerService?

For SAML 1, that's not optional. The IdP is what determines that value, and
that would depend on what kind of IdP it was and whether the legacy
Shibboleth protocol was involved to supply a target inbound.

Offhand, I'd say something's screwed up in metadata or something like that.

-- Scott


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Request missing SAMLResponse or TARGET form parameters

Rainer Hoerbe
Fixed: I misconfigured the IDP so that it posted the Version 2  
SAMLResponse to the Version 1 AssertionConsumerService.

Thanks, Rainer

Am 22.10.2009 um 17:47 schrieb Scott Cantor:

> Hörbe Rainer wrote on 2009-10-22:
>> After receiving the SAMLResponse, the SP issues following error  
>> message:
>>
>> opensaml::BindingException at (http://sp2.local/Shibboleth.sso/SAML/
>> POST) Request missing SAMLResponse or TARGET form parameters.
>
> That's a SAML 1 error, so you're mixing protocols, based on the  
> assumption
> that you're correct about the request you saw it send. In the case  
> of SAML
> 1, TARGET is required, which is not the case with RelayState.
>
>> I do not understand the mechanism with RelayState (or could not find
>> documentation. Do I understand right, that relayState=cookie in
>> <SPConfig> will not require a TARGET parameter passed back to the
>> AssertionConsumerService?
>
> For SAML 1, that's not optional. The IdP is what determines that  
> value, and
> that would depend on what kind of IdP it was and whether the legacy
> Shibboleth protocol was involved to supply a target inbound.
>
> Offhand, I'd say something's screwed up in metadata or something  
> like that.
>
> -- Scott
>
>

Loading...