I am working with a partner for implementing SAML federation. IDP has in-house federation solution and SP has fedlet. metadata is exchanged between both parties.
While testing the SP initiated SSO URL, we are getting 400 error in browser as shown below.
Upon looking into the logs, it throws the below exception:
ERROR: Error sending AuthnRequest
com.sun.identity.saml2.common.SAML2Exception: Could not find Single Sign-on Service URL.
at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:201)
at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:110)
at org.apache.jsp.saml2.jsp.fedletSSOInit_jsp._jspService(fedletSSOInit_jsp.java:186)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:388)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
The SOAP binding in IDP metadata and SP metadata is showing as HTTP-POST which is as agreed between both parties upfront.
Resolution:
Though IDP metadata has HTTP-POST configured as binding, it is actually using some other binding. When we change the IDP to HTTP-POST internally and exchange the IDP metadata again, issue disappeared.
Therefore the SOAP binding has to be same between both IDP and SP for SP to send the SAML authentication request.