When running a Policy Server with a Partnership configured with
"Accept ACS URL in the Authnrequest" set to yes, the Authenrequest
with AssertionConsumerServiceURL in it is not working.
From the logs one can notice :
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][processRequest]
[Transaction with ID: a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b failed. Reason: NO_BINDING_SPECIFIED]
Policy Server 12.8SP1CR00;
The cause is that the SAMLRequest doesn't have ProtocolBinding set,
and as such, the Policy Server reports error "NO_BINDING_SPECIFIED" :
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][getAuthnRequestData]
[AuthnRequest:
<samlp2:AuthnRequest xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol"
ID="samlp2-8e40b382f27845cd99562bd13c193cdb"
IssueInstant="2019-06-19T05:53:06.111Z"
Version="2.0"
ForceAuthn="false"
IsPassive="false"
AssertionConsumerServiceURL="https://myserver.example.com/resource/authorize">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">myissuer</saml2:Issuer>
</samlp2:AuthnRequest>]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][getACSIndexRow][Found the ACS Row corresponding to index: 0]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff
8cd-1d050e61-20328988-b][SSO.java][getACSIndexRow][ACS Binding: HTTP-Post]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][getACSIndexRow][ACS URL: https://myserver.example.com/resource/authorize]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][ACSIndexDefaultBinding]
[Settting the Binding for the Default Assertion Consumer Service to: HTTP-Post]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][processRequest][Got Assertion Consumer URL in AuthnRequest. Determining Validity of URL]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][processRequest]
[Transaction with ID: a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b failed. Reason: NO_BINDING_SPECIFIED]
From the OASIS group, the ProtocolBinding is mandatory when
AssertionConsumerServiceURL is set (1).
Configure the SAMLRequest to set ProtocolBinding to solve this issue.
(1)
AssertionConsumerServiceURL [Optional]
Specifies by value the location to which the <Response> message
MUST be returned to the requester. The responder MUST ensure by
some means that the value specified is in fact associated with the
requester. [SAMLMeta] provides one possible mechanism; signing the
enclosing <AuthnRequest> message is another. This attribute is
mutually exclusive with the AssertionConsumerServiceIndex
attribute and is typically accompanied by the ProtocolBinding
attribute.
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf