Today I ran into another fun error message that doesn't show up on Google. I was trying to integrate our local Shibboleth IdP with a vendor's SP. I had loaded their metadata, but when I went to authenticate, I got this error:
org.opensaml.ws.message.decoder.MessageDecodingException: SAML 2 ACS endpoint could not be resolved from metadata for SP entityID and binding: https://vendor.com/ -- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Now, there certainly was an HTTP-POST AssertionConsumerService defined in the metadaa file. What gives?
The problem turned out to be with XML scoping. The metadata contained something like this:
<AssertionConsumerService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="0" location="https://vendor.com"/>
I just had to stick "md:" onto the beginning of that tag, and everything worked fine. Like this:
<md:AssertionConsumerService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="0" location="https://vendor.com/"/>
0 comments:
Post a Comment