400 Error for SP-Init POST Request

book

Article ID: 74986

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Users are receiving a 400 error for an SP-Initiated POST request. Session store is enabled. FWSTrace.log shows assertion successfully generated, but immediately after shows an incoming GET request from same user. It's clear that the POST data is being preserved until this phantom assertion is generated. It's unclear why the browser isn't POSTing the assertion to the ACS URL. Customer did note that in the failing use case he does see the user redirected back to the auth scheme after successfully authenticating, suggesting that something is going wrong with the SecurID auth scheme in use (Fiddler was not avilable during the remote session).

Cause

Browser is sending X-Requested-With: XMLHttpRequest request header after authentication and is thus refusing to auto-POST the assertion to the remote domain.

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Resolution

The X-Requested-With: XMLHttpRequest request header needs to be removed or prevented before an authenticated user reaches saml2sso, else the browser will refuse to POST the assertion to the remote domain.