SAML - Non-ok status code 500 returned from remote metadata source

By: Emma Richardson user 02 Apr 2019 at 5:28 p.m. CDT

3 Responses
Emma Richardson gravatar
I have been trying to set up an SSO TR with Freshdesk. After finally talking them out of an xml file as I couldn't get anything to even try and validate with just the url they provided, I have been able to validate successfully. The xml file is as follows: ``` ( <EntityDescriptor entityID="ecboces.freshdesk.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ecboces.freshdesk.com/login/saml"/> </SPSSODescriptor> </EntityDescriptor> ``` I have another SAML TR working correctly with a emailAddress nameid so used the same one for this one. But I am just not getting connected to the SP at all with this error showing in the idp logs:SAML - Non-ok status code 500 returned from remote metadata source. When I click on the log in button from Freshdesk, I get a Stale Request page with a url like this: https://mydomain.com/idp/profile/SAML2/POST/SSO?SAMLRequest=fZHLboMwEEV%2FhZ1XYCDkZQESSlQpUtpEIe2im8rAkFgyNvWYPv6%2BQFQ1WaRb69w7xzMx8ka2LOvsWR3gvQO0ToYIxgqtVlph14DJwXyIEp4P24ScrW2RUXoG2XpQFroE9LQ5UalPQtGhjjjrvkYoPnT8JUbgJiKqlrZG10ICzbPHbUj3u%2FxI83xHnM06IW9RxIt5vSjcaVnVblTU3F0Wk7kL9TKY%2BdPKL8NpjyJ2sFFoubIJCf1g6fqR64fHYMHCGZv4r8R5AYOjTej5xPlqpEI2uCakM4ppjgKZ4g0gsyUbXFgPMv67ietI%2B3%2Bm%2F5DVpZYkjQeajXYmvbe3mF5T8eUcT33rZr3XUpTfTial%2FlwZ4BYSYk0HxHnQpuH2vkfgBeOLqNx6RBk0XMisqgwgEppept7ePf0B I did notice that the SP requests a fingerprint instead of the full certificate so I provided the fingerprint of the Gluu server signing cert to Freshdesk. I am wondering if I need to provide the full certificate in the sp metadata file? Or if the fingerprint is causing an issue or it is might be something totally different? Would appreciate any assistance...
Debian 9.0
closed

Answers

By Aliaksandr Samuseu staff 03 Apr 2019 at 2:58 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Emma. It looks like all your difficulties this time can be attributed to SP configuration. Errors due to stale request isn't something IDP causes usually. Unless you press some "Back" button along the way, or make previous request replayed in any other way (or may be your system clock is not synced), it means SP sends invalid (replayed) request. Can't comment on the certificate question either, normally you need to upload certificate, not just its fingerprint, though. Unfortunately, we don't cover SP-related issues under Community Support, only questions related to our products. Unless you'll be able to show how it's a Gluu Server's issue, your best chance to get some help is to contact this SP's support, or ask around in some related communities.

By Emma Richardson user 03 Apr 2019 at 6:45 a.m. CDT

Copy
Emma Richardson gravatar
Thanks for the response - I am talking with them too. Their sso works with onelogin though so it something between Gluu and SP and not totally their issue. I saw this ticket: https://support.gluu.org/single-sign-on/5863/saml-sp-redirects-to-wrong-url-stale-request/ which was resolved by changes on the Gluu side so I am still thinking that it might be related to the Gluu setup.

By Emma Richardson user 03 Apr 2019 at 9:32 a.m. CDT

Copy
Emma Richardson gravatar
New log message - does this shed any light? ``` 2019-04-03 14:30:52,678 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP POST method at org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder.doDecode(HTTPPostDecoder.java:82) 2019-04-03 14:30:52,720 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: UnableToDecode 2019-04-03 14:30:52,725 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:154] - No SAMLBindingContext or binding URI available, error must be handled locally ```

Post an answer