Running a Service Provider (SP), when a SAML request is sent to the Identity Provider (IdP) in VIP Authentication Hub, this one doesn't accept the signature being part of the URI.

The SP standard SAML setup uses HTTP-Redirect, which signs the request in the URL parameters.

This is a standard and valid SAML 2.0 signature method.

However, the VIP Authentication Hub acting as an IdP rejects it as not signed, even though the signature is present in the URL.

As a test, switching to HTTP-POST which signs the SAML request inside the XML using <ds:Signature> and this version was accepted by the VIP Authentication Hub IdP, confirming that the current configuration likely does not support redirect signatures properly.

However, due to the nature of HTTP-POST, the redirection is not automatic; it results in an intermediate HTML form with a Submit button that must be clicked manually.

Upgrade the VIP Authentication Hub to version 3.4.5 to fix this issue (1).

1. Fixed Issues