Bad SAML Request

Question

I'm trying to setup a web SAML login on Domino server. I received the SAML 2.0 metadata XML file from the identity provider which is Oracle Identity Federation 11g.

I imported the metadata to a IdP configuration document and got the first phase of the login to work so that the user is redirected to IdP server for login.

When the login at IdP is done I'm redirected back to Domino server and get "Error 400 HTTP Web Server: Bad SAML Request". I have tried DEBUG_SAML notes.ini setting with different numbers and finally all combined: DEBUG_SAML=11199. This is shown on server console:

ProduceSaml2ADFSReply: https://oracle-idp-site.net/fed/idp/initiatesso?providerid=http://mytestsite.fi&returnurl=http://mytestsite.fi/dev/ph/xp.nsf/test.xsp&loginToRp=http://mytestsite.fi
Relay state is not equal [1575470014] - [http://mytestsite.fi/dev/ph/xp.nsf/test.xsp], url decoded/decripted [
http://mytestsite.fi/dev/ph/xp.nsf?$$_vrd2=95ed6770a665e89b35e0a74c03e6b463-b4cea507-ysrLzM3LyMx47oPqJm7hhAT%2FwyC%2BkYQ8GVN1HA%2BVb2FnIek6KcAxlr%2FzuOW018x5SUc5ULLb0zLZs3avb0UaT4t%2FepmI%2FcR29lrkKXIa9lxT9XvViDytNdpVObJG]
Could not decode cookie. Dump post data:
PostFieldName - SAMLResponse - Data - 
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vZGV2LnNvdmVsbHVzdGFsby5maS9uYW1lcy5uc2Y/U0FNTExvZ2luIiBJRD0iaWQtcnpaeUlWRmY3a3BLMFR1SGVMeTR5T3RnaGFJLSIgSXNzdWVJbnN0YW50PSIyMDEzLTA5LTE5V
PostFieldName - RelayState - Data - http://mytestsite.fi/dev/ph/xp.nsf/test.xsp
19.09.2013 15:17:19   HTTP Web Server: Bad SAML Request [/names.nsf?SAMLLogin] Anonymous

I end up to URL http://mytestsite.fi/names.nsf?SAMLLogin with the Error 400 mentioned above. As "Single sign-on service URL" I have:

https://oracle-idp-site.net/fed/idp/initiatesso?providerid=http://mytestsite.fi&returnurl=http://mytestsite.fi/dev/ph/xp.nsf/test.xsp

This is the URL structure that works with the Oracle product. Federation product in IdP configuration document was set to ADFS when I imported the metadata but I have also tried with TFIM.

The reason for the failure seems to be "Relay state is not equal" or "Could not decode cookie" but what can be done about them?

EDIT 2013-09-26

IBM support refused to help me because Domino only supports MS AD and IBM TFIM as IdP. I thought SAML is a standard.

Have you checked time on each server because SAML is very time sensitive. — Fredrik Norling, Dec 09 '13 at 15:26
Hi Panu, did you manage to successfully get SSO working with Domino as the SP against OIF 11g as the IDP? — lee_mcmullen, Mar 16 '15 at 16:09
No. They have switched the IdP to Shibboleth and we still have Shibboleth in front of Domino in our end. I haven't tried yet to make Domino work with Shibboleth IdP. — Panu Haaramo, Mar 17 '15 at 14:52
Thanks Panu. I've got everything configured as [detailed here](http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/secu_enabling_the_domino_server_to_provide_saml_authentication_t.dita) but every time I try to sign in I'm getting a message returned by the IDP which says "The SAML Request is invalid". The IDP I'm running against is OpenSSO on Tomcat. Would you have any pointers for me by any chance? — lee_mcmullen, Mar 26 '15 at 15:30
`DEBUG_SAML=11199` notes.ini setting should turn on all debugging and maybe give you some useful info. — Panu Haaramo, Mar 26 '15 at 15:36
Thanks Panu, have added that. Incidentally, I've gotten another step further by changing the SSO service URL (similar to what you mention in your post above) as [explained here](http://www-10.lotus.com/ldd/ndsebetaforum.nsf/topicThread.xsp?documentId=77B7B4E64248214D85257AF500622DA2&action=openDocument) by Leandro C Lustosa. I'm now signing in at the IDP and being sent back to Domino. However now I'm getting "Error 400 HTTP Web Server: Bad SAML Request" in the browser and `SAML error: No artifact in assertion` in the console. I'll do some research on that message. — lee_mcmullen, Mar 26 '15 at 15:42

score 2 · Answer 1 · answered Jun 03 '16 at 21:31

We had same error, found that the x509 cert in the IdP Config wasn't imported or copied in correctly. We copied directly out of XML file into notepad, removed any spaces or line breaks and pasted back into the config file. Restart HTTP and it resolved.

score 1 · Answer 2 · answered Nov 05 '14 at 09:56

1

I dunno if you ever got this solved but i finally managed to sort out this error for the federation i was setting up. If you tell Domino to setup the federation against an ADFS it will set a cookie called DOMSTATE this one needs to be set the whole time.

Also note, if you set the Relaystate flag in the saml post back to the domino server the domino server will take the value specified there and match it against the domstate cookie. So I got around this problem by not sending the relaystate flag back to the domino server.

answered Nov 05 '14 at 09:56

meleth

11
1

Hi Meleth, I wonder if you might be able to help me? Could you take a look at my comments to the original question above and let me know if you have any pointers? You mention in your answer that you got it working successfully so I'd be keen to understand what you did differently and whether my issue is a config issue or an incompatibility issue between Domino and OpenSSO. Thanks, Lee – lee_mcmullen Mar 26 '15 at 15:32

Bad SAML Request

2 Answers2