partnership federation supports GET method on SAML Authn request
search cancel

partnership federation supports GET method on SAML Authn request


Article ID: 187650


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER


We're running a CA Access Gateway (SPS) and when the Service Provider
(SP) send HTTP POST Binding AuthnRequest, then the transaction fails
and CA Access Gateway (SPS) reports error :
  with ID: 21474121-b1b66261-26c75c0d-420cf956-ec227e76-43f
  failed. Reason: NO_SAML_REQUEST_OR_SPID]
  SAML2 Single Sign-On Service request processing with HTTP error 400]
Why do we get such error ? Does legacy/partnership federation supports
HTTP GET method for saml authn request ?


Policy Server all versions


At first glance, Legacy and Partnership Federation models accept
HTTP GET or POST for SAML Authnrequest.
The error we see above might due to the fact that the Session Store
cannot handle the data correctly as stated by this KD :
  SP(Salesforce & Tableau) Initiated calls are being failed with 400 Error.
  SP-Initiated POST request results in 400 Error
You can send an Authnrequest using GET or POST for Post binding.
Note that the request will be sent in a different way depending of the
http action :
  The SAMLRequest will be in the URL;
  The SAMLRequest will be send as a Header;
Both HTTP actions are supported.
There are 2 examples of :
Here you get a sample of "POST" HTTP-POST binding Authnrequest :
  SP-initiated Single Sign-On POST
    Content-Type: application/x-www-form-urlencoded
    Content-Length: nnn
Here you get a sample of GET HTTP-POST binding Authnrequest :
HTTP-Redirect Binding SAML Request
  The redirect url is{val1}&Signature={val2}&SigAlg={val3}
  with my SAMLRequest (without signature)
  <samlp:AuthnRequest ID="" Version="2.0" IssueInstant="2015-05-22T02:47:38Z" Destination="" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
      <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" />
      <samlp:RequestedAuthnContext Comparison="exact" />
      <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>