Layer7 Access Management

Tech Tip - CA Single Sign-On: SP-initiated SSO is failing with error 400

By wonsa03 posted 04-18-2016 02:01 AM

  

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 18th April 2016

 

ISSUE:

SP-initiated SSO is failing with error 400 - Reason: UNSUPPORTED_AUTHN_REQUEST_BINDING.

logs.PNG

 

CAUSE:

Siteminder 12.52 release onward supports SAML 2.0 HTTP POST binding as a method for exchanging requests and responses during authentication and single log-out requests.

With Siteminder release (IdP) that does not support SAML 2.0 HTTP POST binding, HTTP-Redirect binding is used by default. Hence, if Service Provider sent authentication request via HTTP-POST binding, Federation login failed at Siteminder (IdP) with the error 400.

If you are getting the same error with Siteminder release that support SAML 2.0 HTTP POST binding, it is likely that you have not configured IdP to allow HTTP-POST binding.

 

RESOLUTIONS:

Check the Siteminder Policy Server, SPS/WAOP or Federation Manager version.

  • If Siteminder version is lower than R12.52 release, upgrade Siteminder components to supported release or configure Service Provider to use HTTP-Redirect binding to send the authentication request.
  • If Siteminder version is at supported release, ensure that Authentication Request Binding is set to HTTP-POST on both IdP and SP ends.
0 comments
0 views