No return endpoint available for relying party

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

No return endpoint available for relying party

Dan Dunbar
I am new to all of this so please pardon my ignorance.  I am attempting to
configure an idp and sp.  I everything seems to be working when i use
testshib.  but when i use my sp i get redirected i can then authenticate with
ldap correctly when i get redirected after successfull login i get an error
"No peer endpoint available to which to send SAML response "

I have looked into the problem but cannot seem to find the incorrect setting.
process log associated is below.

12:59:16.664 - DEBUG [PROTOCOL_MESSAGE:91] -
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceIndex="1"
Destination="https://smidp.uwstout.edu/idp/profile/SAML2/Redirect/SSO"
ID="_729cff1ba1cf168a823dcb19f8d21de9" IssueInstant="2010-10-06T17:59:15Z"
Version="2.0">
   <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://smidp.uwstout.edu/i
dp/shibboleth</saml:Issuer>
   <samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>

12:59:24.964 - INFO [Shibboleth-Access:73] -
20101006T175924Z|144.13.104.94|smidp.uwstout.edu:443|/profile/SAML2/Redirect/S
SO|
12:59:24.964 - ERROR
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:41
5] - No return endpoint available for relying party
https://smidp.uwstout.edu/idp/shibboleth
Reply | Threaded
Open this post in threaded view
|

Re: No return endpoint available for relying party

Kevin P. Foote

Have you checked the 3 items mentioned here:

https://spaces.internet2.edu/display/SHIB2/IdPTroubleshootingCommonErrors#IdPTroubleshootingCommonErrors-edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler%3ANoreturnendpointavailableforrelyingparty...

Mainly the consumption of the proper metadata on both ends.

------
thanks
  kevin.foote

On Wed, 6 Oct 2010, Dan Dunbar wrote:

-> I am new to all of this so please pardon my ignorance.  I am attempting to
-> configure an idp and sp.  I everything seems to be working when i use
-> testshib.  but when i use my sp i get redirected i can then authenticate with
-> ldap correctly when i get redirected after successfull login i get an error
-> "No peer endpoint available to which to send SAML response "
->
-> I have looked into the problem but cannot seem to find the incorrect setting.
-> process log associated is below.
->
-> 12:59:16.664 - DEBUG [PROTOCOL_MESSAGE:91] -
-> <?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
-> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-> AssertionConsumerServiceIndex="1"
-> Destination="https://smidp.uwstout.edu/idp/profile/SAML2/Redirect/SSO"
-> ID="_729cff1ba1cf168a823dcb19f8d21de9" IssueInstant="2010-10-06T17:59:15Z"
-> Version="2.0">
->    <saml:Issuer
-> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://smidp.uwstout.edu/i
-> dp/shibboleth</saml:Issuer>
->    <samlp:NameIDPolicy AllowCreate="1"/>
-> </samlp:AuthnRequest>
->
-> 12:59:24.964 - INFO [Shibboleth-Access:73] -
-> 20101006T175924Z|144.13.104.94|smidp.uwstout.edu:443|/profile/SAML2/Redirect/S
-> SO|
-> 12:59:24.964 - ERROR
-> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:41
-> 5] - No return endpoint available for relying party
-> https://smidp.uwstout.edu/idp/shibboleth
->
Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Dan Dunbar
I did see that page.  I verified the handlers.xml file and the
shibboleth2.xml file.  here are what I believe to be the appropriate
snippets of the files


    <ph:ProfileHandler xsi:type="ph:Status">
        <ph:RequestPath>/Status</ph:RequestPath>
    </ph:ProfileHandler>
   
    <ph:ProfileHandler xsi:type="ph:SAMLMetadata"
metadataFile="c:\opt\shibboleth/metadata/idp-metadata.xml">
        <ph:RequestPath>/Metadata/SAML</ph:RequestPath>
    </ph:ProfileHandler>    

    <ph:ProfileHandler xsi:type="ph:ShibbolethSSO"
 
inboundBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
 
outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:profiles:browser-pos
t
 
urn:oasis:names:tc:SAML:1.0:profiles:artifact-01">
        <ph:RequestPath>/Shibboleth/SSO</ph:RequestPath>
    </ph:ProfileHandler>
   
    <ph:ProfileHandler xsi:type="ph:SAML1AttributeQuery"
 
inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
 
outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-bindin
g">
        <ph:RequestPath>/SAML1/SOAP/AttributeQuery</ph:RequestPath>
    </ph:ProfileHandler>
   
    <ph:ProfileHandler xsi:type="ph:SAML1ArtifactResolution"
 
inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
 
outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-bindin
g">
        <ph:RequestPath>/SAML1/SOAP/ArtifactResolution</ph:RequestPath>
    </ph:ProfileHandler>
   
    <ph:ProfileHandler xsi:type="ph:SAML2SSO"
 
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-S
impleSign
 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/POST/SSO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SSO"
 
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
 
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-S
impleSign
 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/POST-SimpleSign/SSO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SSO"
 
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-S
impleSign
 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/Redirect/SSO</ph:RequestPath>
    </ph:ProfileHandler>
   
    <ph:ProfileHandler xsi:type="ph:SAML2AttributeQuery"
 
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
 
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
        <ph:RequestPath>/SAML2/SOAP/AttributeQuery</ph:RequestPath>
    </ph:ProfileHandler>
   
    <ph:ProfileHandler xsi:type="ph:SAML2ArtifactResolution"
 
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
 
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
        <ph:RequestPath>/SAML2/SOAP/ArtifactResolution</ph:RequestPath>
    </ph:ProfileHandler>
   

And shibboleth2.xml

<SessionInitiator type="SAML2" Location="/login" isDefault="true" id="stout"
relayState="cookie"

entityID="https://smidp.uwstout.edu/idp/shibboleth" acsByIndex="true"
defaultAcSIndex="1"

template="bindingTemplate.html"/>

            <md:AssertionConsumerService Location="/SAML2/POST" index="1"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign"
index="2"
 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>

            <md:AssertionConsumerService Location="/SAML2/Artifact"
index="3"
 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
            <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
            <md:AssertionConsumerService Location="/SAML/POST" index="5"
 
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
            <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Kevin P. Foote
Sent: Wednesday, October 06, 2010 1:40 PM
To: [hidden email]
Subject: Re: [Shib-Users] No return endpoint available for relying party


Have you checked the 3 items mentioned here:

https://spaces.internet2.edu/display/SHIB2/IdPTroubleshootingCommonErrors#Id
PTroubleshootingCommonErrors-edu.internet2.middleware.shibboleth.idp.profile
.AbstractSAMLProfileHandler%3ANoreturnendpointavailableforrelyingparty...

Mainly the consumption of the proper metadata on both ends.

------
thanks
  kevin.foote

On Wed, 6 Oct 2010, Dan Dunbar wrote:

-> I am new to all of this so please pardon my ignorance.  I am
-> attempting to configure an idp and sp.  I everything seems to be
-> working when i use testshib.  but when i use my sp i get redirected i
-> can then authenticate with ldap correctly when i get redirected after
-> successfull login i get an error "No peer endpoint available to which to
send SAML response "
->
-> I have looked into the problem but cannot seem to find the incorrect
setting.
-> process log associated is below.
->
-> 12:59:16.664 - DEBUG [PROTOCOL_MESSAGE:91] - <?xml version="1.0"
-> encoding="UTF-8"?><samlp:AuthnRequest
-> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-> AssertionConsumerServiceIndex="1"
-> Destination="https://smidp.uwstout.edu/idp/profile/SAML2/Redirect/SSO"
-> ID="_729cff1ba1cf168a823dcb19f8d21de9"
IssueInstant="2010-10-06T17:59:15Z"
-> Version="2.0">
->    <saml:Issuer
-> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://smidp.uwst
-> out.edu/i
-> dp/shibboleth</saml:Issuer>
->    <samlp:NameIDPolicy AllowCreate="1"/> </samlp:AuthnRequest>
->
-> 12:59:24.964 - INFO [Shibboleth-Access:73] -
-> 20101006T175924Z|144.13.104.94|smidp.uwstout.edu:443|/profile/SAML2/R
-> 20101006T175924Z|edirect/S
-> SO|
-> 12:59:24.964 - ERROR
-> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileH
-> andler:41 5] - No return endpoint available for relying party
-> https://smidp.uwstout.edu/idp/shibboleth
->

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Cantor, Scott E.
> I did see that page.  I verified the handlers.xml file and the
> shibboleth2.xml file.  here are what I believe to be the appropriate
> snippets of the files

But your SP metadata is wrong. Whether your configuration is wrong depends
on whether the metadata matches an incorrect configuration or doesn't match
a correct one.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Dan Dunbar
From the sp metadata

    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST" index="1"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST-SimpleSign"
index="2"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://144.13.104.94/Shibboleth.sso/SAML2/Artifact" index="3"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="http://144.13.104.94/Shibboleth.sso/SAML2/ECP" index="4"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://144.13.104.94/Shibboleth.sso/SAML/POST" index="5"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://144.13.104.94/Shibboleth.sso/SAML/Artifact" index="6"/>

Idp metadata

<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"

 
Location="https://smidp.uwstout.edu/idp/profile/Shibboleth/SSO" />
       
        <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 
Location="https://smidp.uwstout.edu/idp/profile/SAML2/POST/SSO" />

        <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
 
Location="https://smidp.uwstout.edu/idp/profile/SAML2/POST-SimpleSign/SSO"
/>
       
        <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 
Location="https://smidp.uwstout.edu/idp/profile/SAML2/Redirect/SSO" />

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Scott Cantor
Sent: Wednesday, October 06, 2010 2:00 PM
To: [hidden email]
Subject: RE: [Shib-Users] No return endpoint available for relying party

> I did see that page.  I verified the handlers.xml file and the
> shibboleth2.xml file.  here are what I believe to be the appropriate
> snippets of the files

But your SP metadata is wrong. Whether your configuration is wrong depends
on whether the metadata matches an incorrect configuration or doesn't match
a correct one.

-- Scott



smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Cantor, Scott E.
> From the sp metadata
>
>     <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST" index="1"/>

Well, unless your SP is requesting the response come back to an IP address,
there's your error.

-- Scott



Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Dan Dunbar
It is expecting it at the ip address.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Scott Cantor
Sent: Wednesday, October 06, 2010 2:11 PM
To: [hidden email]
Subject: RE: [Shib-Users] No return endpoint available for relying party

> From the sp metadata
>
>     <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST" index="1"/>

Well, unless your SP is requesting the response come back to an IP address,
there's your error.

-- Scott




smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Kevin P. Foote

you have no serverName / cname setup for the webserver to listen for?

------
thanks
  kevin.foote

On Wed, 6 Oct 2010, Dunbar, Daniel wrote:

-> It is expecting it at the ip address.
->
-> -----Original Message-----
-> From: [hidden email]
-> [mailto:[hidden email]] On Behalf Of Scott Cantor
-> Sent: Wednesday, October 06, 2010 2:11 PM
-> To: [hidden email]
-> Subject: RE: [Shib-Users] No return endpoint available for relying party
->
-> > From the sp metadata
-> >
-> >     <md:AssertionConsumerService
-> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-> > Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST" index="1"/>
->
-> Well, unless your SP is requesting the response come back to an IP address,
-> there's your error.
->
-> -- Scott
->
->
->
->
Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Dan Dunbar
I could set it up by cname.  Is there a reason the ip address won't work

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Kevin P. Foote
Sent: Wednesday, October 06, 2010 2:18 PM
To: [hidden email]
Subject: RE: [Shib-Users] No return endpoint available for relying party


you have no serverName / cname setup for the webserver to listen for?

------
thanks
  kevin.foote

On Wed, 6 Oct 2010, Dunbar, Daniel wrote:

-> It is expecting it at the ip address.
->
-> -----Original Message-----
-> From: [hidden email]
-> [mailto:[hidden email]] On Behalf Of Scott
-> Cantor
-> Sent: Wednesday, October 06, 2010 2:11 PM
-> To: [hidden email]
-> Subject: RE: [Shib-Users] No return endpoint available for relying
-> party
->
-> > From the sp metadata
-> >
-> >     <md:AssertionConsumerService
-> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-> > Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST"
-> > index="1"/>
->
-> Well, unless your SP is requesting the response come back to an IP
-> address, there's your error.
->
-> -- Scott
->
->
->
->

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Kevin P. Foote

-> -> > Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST"

The beginning of portion needs to match what the webserver is listening
for ..

Does your Idp know about the SP metadata?? IE: have you made a
<MetadataProvider> entry in the IdP's relying-party.xml file and
restarted the Idp?

------
thanks
  kevin.foote

On Wed, 6 Oct 2010, Dunbar, Daniel wrote:

-> I could set it up by cname.  Is there a reason the ip address won't work
->
-> -----Original Message-----
-> From: [hidden email]
-> [mailto:[hidden email]] On Behalf Of Kevin P. Foote
-> Sent: Wednesday, October 06, 2010 2:18 PM
-> To: [hidden email]
-> Subject: RE: [Shib-Users] No return endpoint available for relying party
->
->
-> you have no serverName / cname setup for the webserver to listen for?
->
-> ------
-> thanks
->   kevin.foote
->
-> On Wed, 6 Oct 2010, Dunbar, Daniel wrote:
->
-> -> It is expecting it at the ip address.
-> ->
-> -> -----Original Message-----
-> -> From: [hidden email]
-> -> [mailto:[hidden email]] On Behalf Of Scott
-> -> Cantor
-> -> Sent: Wednesday, October 06, 2010 2:11 PM
-> -> To: [hidden email]
-> -> Subject: RE: [Shib-Users] No return endpoint available for relying
-> -> party
-> ->
-> -> > From the sp metadata
-> -> >
-> -> >     <md:AssertionConsumerService
-> -> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-> -> > Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST"
-> -> > index="1"/>
-> ->
-> -> Well, unless your SP is requesting the response come back to an IP
-> -> address, there's your error.
-> ->
-> -> -- Scott
-> ->
-> ->
-> ->
-> ->
->
Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Dan Dunbar
Yes I added the metadata provider to the relayingparty.xml

Metadataurl = http://144.13.104.94/Shibboleth.ssso/Metadata


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Kevin P. Foote
Sent: Wednesday, October 06, 2010 2:33 PM
To: [hidden email]
Subject: RE: [Shib-Users] No return endpoint available for relying party


-> -> > Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST"

The beginning of portion needs to match what the webserver is listening for
..

Does your Idp know about the SP metadata?? IE: have you made a
<MetadataProvider> entry in the IdP's relying-party.xml file and restarted
the Idp?

------
thanks
  kevin.foote

On Wed, 6 Oct 2010, Dunbar, Daniel wrote:

-> I could set it up by cname.  Is there a reason the ip address won't
-> work
->
-> -----Original Message-----
-> From: [hidden email]
-> [mailto:[hidden email]] On Behalf Of Kevin P.
-> Foote
-> Sent: Wednesday, October 06, 2010 2:18 PM
-> To: [hidden email]
-> Subject: RE: [Shib-Users] No return endpoint available for relying
-> party
->
->
-> you have no serverName / cname setup for the webserver to listen for?
->
-> ------
-> thanks
->   kevin.foote
->
-> On Wed, 6 Oct 2010, Dunbar, Daniel wrote:
->
-> -> It is expecting it at the ip address.
-> ->
-> -> -----Original Message-----
-> -> From: [hidden email]
-> -> [mailto:[hidden email]] On Behalf Of Scott
-> -> Cantor
-> -> Sent: Wednesday, October 06, 2010 2:11 PM
-> -> To: [hidden email]
-> -> Subject: RE: [Shib-Users] No return endpoint available for relying
-> -> party
-> ->
-> -> > From the sp metadata
-> -> >
-> -> >     <md:AssertionConsumerService
-> -> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-> -> > Location="http://144.13.104.94/Shibboleth.sso/SAML2/POST"
-> -> > index="1"/>
-> ->
-> -> Well, unless your SP is requesting the response come back to an IP
-> -> address, there's your error.
-> ->
-> -> -- Scott
-> ->
-> ->
-> ->
-> ->
->

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Cantor, Scott E.
> Yes I added the metadata provider to the relayingparty.xml
>
> Metadataurl = http://144.13.104.94/Shibboleth.ssso/Metadata

It would be .sso, not .ssso, but that isn't the right approach anyway.
There's no way to debug it when you point it at an endpoint and hope it
works. You can't even really tell what the metadata is from that. Clearly
it's not right, based on the error.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: No return endpoint available for relying party

Cantor, Scott E.
In reply to this post by Dan Dunbar
I noted something in your request:

> 12:59:16.664 - DEBUG [PROTOCOL_MESSAGE:91] -
> <?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> AssertionConsumerServiceIndex="1"

That index means the SP is configured in a very unusual way, so that
suggests to me you ought to start over and undo whatever set of changes you
made to the configuration.

My guess is you may have tried to fix something caused by an incorrect web
server configuration, when that is in fact the fix, to correct the web
server with proper hostname information so that its self-referential URLs
are sensible and will match the metadata given to the IdP.

-- Scott