Users are seeing a 500 error after entering their credentials to access a SAML application.

The following error is seen in the policy server trace log:

  Destination does not match local URL

The Destination value within the SAMLRequest did match the URL to which the request was being sent.

However, this URL was redirecting the user to a different URI before the saml2sso service could process the request, thus the Destination value no longer matched the URL where the request was being processed.

Updating the partnership Base URL to have the saml2sso URL matches the Destination resolved the issue.

This could have also been achieved if the SP had updated the Destination value, however, not all SP software would support this since the software expects the Destination to match the URL to which the SAMLRequest will be sent.

This is why Siteminder IDP allows the Base URL to be customized to match where the requests are being processed.