Bad SAML Request

single-sign-on ibm-domino federated
7,351

Solution 1

We had same error, found that the x509 cert in the IdP Config wasn't imported or copied in correctly. We copied directly out of XML file into notepad, removed any spaces or line breaks and pasted back into the config file. Restart HTTP and it resolved.

Solution 2

I dunno if you ever got this solved but i finally managed to sort out this error for the federation i was setting up. If you tell Domino to setup the federation against an ADFS it will set a cookie called DOMSTATE this one needs to be set the whole time.

Also note, if you set the Relaystate flag in the saml post back to the domino server the domino server will take the value specified there and match it against the domstate cookie. So I got around this problem by not sending the relaystate flag back to the domino server.

Share:
7,351

Related videos on Youtube

Panu Haaramo
Author by

Panu Haaramo

Java EE developer and consultant at Sovellustalo Alestalo & Haaramo, a company specializing in Java and Domino development. You can find my contact information in the company web site (in finnish).

Updated on September 18, 2022

Comments

  • Panu Haaramo
    Panu Haaramo almost 2 years

    I'm trying to setup a web SAML login on Domino server. I received the SAML 2.0 metadata XML file from the identity provider which is Oracle Identity Federation 11g.

    I imported the metadata to a IdP configuration document and got the first phase of the login to work so that the user is redirected to IdP server for login.

    When the login at IdP is done I'm redirected back to Domino server and get "Error 400 HTTP Web Server: Bad SAML Request". I have tried DEBUG_SAML notes.ini setting with different numbers and finally all combined: DEBUG_SAML=11199. This is shown on server console:

    ProduceSaml2ADFSReply: https://oracle-idp-site.net/fed/idp/initiatesso?providerid=http://mytestsite.fi&returnurl=http://mytestsite.fi/dev/ph/xp.nsf/test.xsp&loginToRp=http://mytestsite.fi
Relay state is not equal [1575470014] - [http://mytestsite.fi/dev/ph/xp.nsf/test.xsp], url decoded/decripted [
http://mytestsite.fi/dev/ph/xp.nsf?$$_vrd2=95ed6770a665e89b35e0a74c03e6b463-b4cea507-ysrLzM3LyMx47oPqJm7hhAT%2FwyC%2BkYQ8GVN1HA%2BVb2FnIek6KcAxlr%2FzuOW018x5SUc5ULLb0zLZs3avb0UaT4t%2FepmI%2FcR29lrkKXIa9lxT9XvViDytNdpVObJG]
Could not decode cookie. Dump post data:
PostFieldName - SAMLResponse - Data - 
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vZGV2LnNvdmVsbHVzdGFsby5maS9uYW1lcy5uc2Y/U0FNTExvZ2luIiBJRD0iaWQtcnpaeUlWRmY3a3BLMFR1SGVMeTR5T3RnaGFJLSIgSXNzdWVJbnN0YW50PSIyMDEzLTA5LTE5V
PostFieldName - RelayState - Data - http://mytestsite.fi/dev/ph/xp.nsf/test.xsp
19.09.2013 15:17:19   HTTP Web Server: Bad SAML Request [/names.nsf?SAMLLogin] Anonymous

    I end up to URL http://mytestsite.fi/names.nsf?SAMLLogin with the Error 400 mentioned above. As "Single sign-on service URL" I have:

    https://oracle-idp-site.net/fed/idp/initiatesso?providerid=http://mytestsite.fi&returnurl=http://mytestsite.fi/dev/ph/xp.nsf/test.xsp

    This is the URL structure that works with the Oracle product. Federation product in IdP configuration document was set to ADFS when I imported the metadata but I have also tried with TFIM.

    The reason for the failure seems to be "Relay state is not equal" or "Could not decode cookie" but what can be done about them?

    EDIT 2013-09-26

    IBM support refused to help me because Domino only supports MS AD and IBM TFIM as IdP. I thought SAML is a standard.

    • Panu Haaramo
      Panu Haaramo over 9 years
      No. They have switched the IdP to Shibboleth and we still have Shibboleth in front of Domino in our end. I haven't tried yet to make Domino work with Shibboleth IdP.
    • lee_mcmullen
      lee_mcmullen over 9 years
      Thanks Panu. I've got everything configured as detailed here but every time I try to sign in I'm getting a message returned by the IDP which says "The SAML Request is invalid". The IDP I'm running against is OpenSSO on Tomcat. Would you have any pointers for me by any chance?
    • Panu Haaramo
      Panu Haaramo over 9 years
      DEBUG_SAML=11199 notes.ini setting should turn on all debugging and maybe give you some useful info.
    • lee_mcmullen
      lee_mcmullen over 9 years
      Thanks Panu, have added that. Incidentally, I've gotten another step further by changing the SSO service URL (similar to what you mention in your post above) as explained here by Leandro C Lustosa. I'm now signing in at the IDP and being sent back to Domino. However now I'm getting "Error 400 HTTP Web Server: Bad SAML Request" in the browser and SAML error: No artifact in assertion in the console. I'll do some research on that message.
  • lee_mcmullen
    lee_mcmullen over 9 years
    Hi Meleth, I wonder if you might be able to help me? Could you take a look at my comments to the original question above and let me know if you have any pointers? You mention in your answer that you got it working successfully so I'd be keen to understand what you did differently and whether my issue is a config issue or an incompatibility issue between Domino and OpenSSO. Thanks, Lee

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Lotus Domino Active Directory Integration - Possible and Practical?
Sample cypress script to bypass SSO
How to integrate Azure AD SSO in flutter app
How to get Service Token from Kerberos using SSPI
How to disable Facebook single sign on for android - Facebook-android-sdk
What's the difference between AWS SSO and AWS Cognito?
Steps to implement SSO for php application
Is there a way to provide SAML sp implementation using an Apache filter?
How to disable Single SIgn On for facebook android app?
How to decode SAML Response and get the attribute values sent by Idp in PHP