XML Canonicalization for SAML

[Francisco Almeida]

Hi,

I am having some errors in SAML:

-----------------------

Requester/RequestDenied: urn:oasis:names:tc:SAML:2.0:status:RequestDenied

-----------------------

All the information I have from the IdP is that the SAML request is well build and everything is according to the guidelines. However my XML is not well signed and the problem seems to be related with Canonicalization and transform of SAML request.

I am having some problems to understand where this configuration can be made. If it can be done by changing configuration parameters or if you have to custom your SAML request?

Does anyone have some suggestions for this issue?

Regards,

Francisco

[Thijs Kinkhorst]

Hi Francisco,

I understand that you are the SP here.

What the message above means is that the IdP tells the SP that the user
is not allowed to access the server for whatever reason that IdP thinks
is applicable here. The configuration/logfiles of the IdP hopefully show
why that is, so the administrator of the IdP should know why they send
that message.

I would not immediately think of canonicalization as the cause; I take
it that you're using simpleSAMLphp (because you are mailing this list)
and simpleSAMLphp should be handling all the canonicalization and
signatures for you. Unless you have some concrete indications that this
has something to do with it?


Cheers,
Thijs