[Shib-Users] Request missing SAMLResponse or TARGET form parameters

187 views
Skip to first unread message

Hörbe Rainer

unread,
Oct 22, 2009, 11:35:46 AM10/22/09
to shibbole...@internet2.edu
I ran into a problem in following situation during the setup of a
native SP (mod_shib 2.2)

After a resource is requested, the SP will issue an AuthnRequest to
the IDP (Shib 2.1.2). The HTTP-POST request includes following elements:
- form parameter RelayState=cookie:6a3c7a74
- form parameter SAMLResponse=<some good looking XML>
- Cookie shibstate_6a3c7a74=http://sp2.local/bmi.gv.at/viewer.php
- no other query string or form parameter

After receiving the SAMLResponse, the SP issues following error message:

opensaml::BindingException at (http://sp2.local/Shibboleth.sso/SAML/
POST)
Request missing SAMLResponse or TARGET form parameters.

I do not understand the mechanism with RelayState (or could not find
documentation. Do I understand right, that relayState=cookie in
<SPConfig> will not require a TARGET parameter passed back to the
AssertionConsumerService?

<SessionInitiator type="Chaining" Location="/Login" isDefault="true"
id="Intranet"
relayState="cookie" entityID="http://idp.local/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>

Rainer Hoerbe

Chad La Joie

unread,
Oct 22, 2009, 11:44:23 AM10/22/09
to shibbole...@internet2.edu
No. Are you using the Shib IdP?

Hörbe Rainer wrote:
> I do not understand the mechanism with RelayState (or could not find
> documentation. Do I understand right, that relayState=cookie in
> <SPConfig> will not require a TARGET parameter passed back to the
> AssertionConsumerService?


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

Scott Cantor

unread,
Oct 22, 2009, 11:47:37 AM10/22/09
to shibbole...@internet2.edu
Hörbe Rainer wrote on 2009-10-22:
> After receiving the SAMLResponse, the SP issues following error message:
>
> opensaml::BindingException at (http://sp2.local/Shibboleth.sso/SAML/
> POST) Request missing SAMLResponse or TARGET form parameters.

That's a SAML 1 error, so you're mixing protocols, based on the assumption
that you're correct about the request you saw it send. In the case of SAML
1, TARGET is required, which is not the case with RelayState.

> I do not understand the mechanism with RelayState (or could not find
> documentation. Do I understand right, that relayState=cookie in
> <SPConfig> will not require a TARGET parameter passed back to the
> AssertionConsumerService?

For SAML 1, that's not optional. The IdP is what determines that value, and
that would depend on what kind of IdP it was and whether the legacy
Shibboleth protocol was involved to supply a target inbound.

Offhand, I'd say something's screwed up in metadata or something like that.

-- Scott


Hörbe Rainer

unread,
Oct 22, 2009, 11:58:14 AM10/22/09
to shibbole...@internet2.edu
Fixed: I misconfigured the IDP so that it posted the Version 2
SAMLResponse to the Version 1 AssertionConsumerService.

Thanks, Rainer

Reply all
Reply to author
Forward
0 new messages