I'm using SSOCircle and have my metadata imported and a valid redirect request executing. I am not getting any errors in my AuthnRequest
(I was, but I corrected that). However, when I execute the redirect I receive the error:
Reason: Destination is invalid.
Not sure what I am missing.
My Authn looks like this:
<samlp:AuthnRequest ID="_ID_" Version="2.0" IssueInstant="2016-02-25T16:20:04.869Z" Destination="http://localhost:9000/saml/service" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:9000/saml/assert" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">MY_ISSUER_ID</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="_ID_">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>_DIGEST_</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>_SIGNATURE_VALUE_</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>_CERTIFICATE_STRING_</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="MY_ISSUER_ID" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
I am sending the redirect to:
https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle
The library I am using is from ComponentPro (which I am pretty happy with).
The problem is that your Destination attribute in the AuthnRequest is set to http://localhost:9000/saml/service and your are actually sending it to https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle.
The destination attribute must be the same as the actual destination.