Layer7 Access Management

Expand all | Collapse all

SP Init fails with POST not valid

Jump to Best Answer
  • 1.  SP Init fails with POST not valid

    Posted 07-13-2016 11:39 PM


    We use SiteMinder federation Services for SAML integrations.

    I am trying to setup SP Initiated authentication with Tableu Server. Entities are created, partnership is enabled with  HTTP-POST binding. When user access service, they get redirected to IDP SSO Service via POST.

    Header shows: POST /affwebservices/public/saml2sso HTTP/1.1

    There is no Query String. POSTData shows relaystate and SAMLRequest parameter. Decoding SAMLRequest points to correct SPID and some other info.


    SPS fails with a 403.

    FWS log shows:


    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][][doPost][SAML2 Single Sign-On Service received POST request.]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][][doRequestLog][Requesting Host: x.x.x.x. Requesting Host IP: x.x.x.x Request protocol: HTTP/1.1 Request was secure: true Authentication type: null]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][][doPost][POST data: ]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][][parseMessage][Exception while parsing message.]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][][doPost][Transaction with ID: 29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b failed. Reason: SAML2_UNSUPPORTED_POST_REQUEST]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][][doPost][SAML2 Single Sign-On Service does not support POST requests.]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][][doPost][Ending SAML2 Single Sign-On Service request processing with HTTP error 403]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][][redirectToErrorPage][Sending HTTP Error 403 ]

    [07/14/2016][03:04:11][1184][2592803696][][CustomPostPageCache][performUpdate][Checking for updates]





    Appreciate if anyone can throw some light on this.

  • 2.  Re: SP Init fails with POST not valid

    Posted 07-13-2016 11:49 PM

    If I try IDP initiated, I get this error:

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][][processAssertionGeneration][Result of authorizeEx call is: 2.]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][][processAssertionGeneration][Transaction with ID: 1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70 failed. Reason: FAILED_AUTHEX]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][][processAssertionGeneration][Denying request due to authorizeEx call failure.]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][][processAssertionGeneration][Sending 500 error]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][][redirectToErrorPage][Sending HTTP Error 500 ]


    Is there a place where I can see what each of value of authorizeEx is? In this case it says iauthorizeEx call is: 2.


    Thanks in advance.

  • 3.  Re: SP Init fails with POST not valid

    Posted 07-14-2016 06:24 AM

    Hello Sam,


    Maybe you can check the policy server traces for the same transaction : 1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70


    > It will give you more information on the failure.

    > Is it a new setup or was it working before ?


    Hope it helps,


  • 4.  Re: SP Init fails with POST not valid

    Posted 07-14-2016 01:55 AM



    This just for your information.

    The document TEC1351614 states SAML 2.0 HTTP-POST Authentication Binding. While the reason UNSUPPORTED_AUTHN_REQUEST_BINDING is not matched with your SAML2_UNSUPPORTED_POST_REQUEST, it explains some check points which might help.




  • 5.  Re: SP Init fails with POST not valid
    Best Answer

    Posted 07-21-2016 12:55 PM

    Thank You. I needed to upgrade to R12.52 to get the HTTP-Redirect option for authentication binding. Thanks everyone.