Federation login failed with error 400

book

Article ID: 40960

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On

Issue/Introduction

ISSUE:

SP-initiated SSO is failing with error 400 - Reason: UNSUPPORTED_AUTHN_REQUEST_BINDING.

Cause

Siteminder 12.52 release onward supports SAML 2.0 HTTP-POST "Authentication Request Binding" in addition to HTTP-Redirect Binding. 

With older Siteminder release (IdP), that does not support SAML 2.0 HTTP-POST Authentication Binding, HTTP-Redirect Binding is used by default.

Hence, if Service Provider sent AuthnRequest via HTTP-POST binding, Federation login failed at Siteminder (IdP) with this error 400.
If you are getting the same error with Siteminder release that support SAML 2.0 HTTP-POST Authentication Binding, it's likely that IdP has not configured to allow HTTP-POST Authentication Binding.

Environment

Product

  • CA Single Sign-On


Releases

  • CA Single Sign-On:Release:12.52 and above

Resolution

If you agree with SP sending AuthnRequest using HTTP-POST method, please allow it in your IDP configuration.

Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/partnership-federation/saml-2-0-only-configurable-features/enable-saml-2-0-http-post-binding.html

 

Attachments