HTTP Status 400 - Bad Request with Error messasge BAD_SAML_REQUEST_ENCODING
search cancel

HTTP Status 400 - Bad Request with Error messasge BAD_SAML_REQUEST_ENCODING

book

Article ID: 7847

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When trying SP initiated federation request URL, user gets the following error HTTP Status 400 - Bad Request.

SAMLRequest was received by Siteminder IDP, but IDP side FWStrace.log shows error: BAD_SAML_REQUEST_ENCODING

[06/22/2017][13:21:13][1920][8920][][SSO.java][doGet][Transaction with ID: xxxx-xxxxx-06a69df2-548f4426-07280dc3-c2 failed. Reason: BAD_SAML_REQUEST_ENCODING]

[06/22/2017][13:21:13][1920][8920][][SSO.java][doGet][The SAMLRequest parameter was not encoded properly.]

[06/22/2017][13:21:13][1920][8920][][SSO.java][doGet][Ending SAML2 Single Sign-On Service request processing with HTTP error 400]

Environment

Any CA SSO 12.51 or 12.52 version policy server with federation security services. Siteminder is IDP, 3rd party software is SP.

Cause

The error was due to incompatible encoding format used in Authnrequest created by SP partner. CA SSO product as IDP commonly accepts GET(REDIRECT) formatted SAMLRequest during HTTP GET or REDIRECT.

Here is original Authnrequest example

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex="1" ID="_xxxxxxxxxxxx" IssueInstant="2017-05-19T16:21:26Z" Version="2.0"><saml:Issuer>_host.example.com</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>

There are two ways to encode above xml into SAMLRequest and two different ways to pass it to partner as well.  In this case, customer is using HTTP GET.

https://idp.ssocircle.com/sso/toolbox/samlEncode.jsp

GET(REDIRECT) encoding,  which uses  DEFLATE compression method, its output will be accepted by CA SSO in HTTP GET:

fVBdS8NAEPwrx74nTQJWPZqU0FIIqIitPvhSjmS1B%2FcRbzc1%2FnvP1kL70n1admbYmZnNR2vEHgNp70rI0wwEutZ32n2W8LpZJXcwr2akrOllPfDOveDXgMQi6hzJA1DCEJz0ijRJpyyS5Fau68cHWaSZ7INn33oDZ5LrCkWEgaMhEPVpXXhHg8WwxrDXLTauwzH6BdEsS9iOZxNPRENkECvHJRRZfptkN0l%2Bv8mnsshlMX0H8XaKHB%2FCMaA86EK13XniFEdle4Np6%2B1scg7%2Fl%2FEUbTfLZ290%2ByNqY%2Fz3IqBiLIHDgCBWPljF14P%2BXXSXfByokoNypNExTKrjy8vKq18%3D

POST encoding, which uses base64 encoding, its output below for the same xml Authnrequest, will not be accepted by CA SSO during HTTP GET or REDIRECT, which will result error 400:

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0
IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5z
OnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIEFzc2VydGlvbkNv
bnN1bWVyU2VydmljZUluZGV4PSIxIiBJRD0iX3h4eHh4eHh4eHh4eCIgSXNzdWVJbnN0YW50PSIy
MDE3LTA1LTE5VDE2OjIxOjI2WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+X2hvc3QuZXhh
bXBsZS5jb208L3NhbWw6SXNzdWVyPjxzYW1scDpOYW1lSURQb2xpY3kgQWxsb3dDcmVhdGU9InRy
dWUiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJh
bnNpZW50Ii8+PC9zYW1scDpBdXRoblJlcXVlc3Q+

 

Resolution

Since SP is 3rd party software, its code logic or configuration must be changed so that it will send SAMLRequest in the proper encoding format in order to bypass the error and be processed by CA Siteminder IDP.

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/configure-a-saml-2-0-identity-provider/initiate-single-sign-on-from-the-idp-or-sp.html

http://docs.oasis-open.org/security/saml/v2.0/

https://en.wikipedia.org/wiki/DEFLATE

https://en.wikipedia.org/wiki/Base64

Powered by Wolken Software