[SiteMinder][Federation] HTTP 400 at saml2assertionconsumer
search cancel

[SiteMinder][Federation] HTTP 400 at saml2assertionconsumer


Article ID: 219071


Updated On:


SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On


SiteMinder is acting as SP.

Assertion received at saml2assertionconsumer but is resulting in HTTP 400


Release : 12.8



There can be several reasons to this.

1. POST to /affwebservices/public/saml2assertionconsumer changed to GET for some reason (error: "SAMLArt not found" in FWSTrace.log)
2. RelayState or Target is different cookiedomain (error: "xxx outside the local Cookie Domain" in the FWSTrace.log)


#1 Load Balancer intercept and break the flow

For example, if the request is received with HTTP instead of HTTPS, then a loadbalancer intercepts it and maybe redirecting it to HTTPS.
During this transition the POST method changes to GET method and this breaks federation slow as GET for saml2assertionconsumer is for HTTP-Artifact Profile.
SiteMinder will look for SAMLArt query parameter which do not exist as the original use case was for HTTP-POST Profile.


#2 RelayState or Target Application URL is in a different cookie domain

Enable "Validate target url domain" in the Federation Partnership.
Then in the ACO, comment out the "ValidFedTargetDomain" parameter. Or, Uncomment ValidFedTargetDomain and specify the desired cookie domain such as ".aaa.bbb"