When connecting to Salesforce as an identity provider, we get the error listed below:
ComponentSpace.Saml2.Exceptions.SamlBindingException: A SAML message cannot be received as the HTTP request is unrecognized.
at ComponentSpace.Saml2.SamlProvider.ReceiveMessageAsync()
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
(using the boilerplate code for AssertionConsumerService from the ComponentSpace SAML for ASP.NET Core Examples Guide).
The same code works in the sandbox test Salesforce environment, and from what information we have, the only difference is the single sign on service URL (presumably using post in production and get in the working test environment).
“SingleSignOnServiceUrl”: “https:/.com/idp/endpoint/HttpPost" (prod)
“SingleSignOnServiceUrl”: "https:///idp/endpoint/HttpRedirect” (test sandbox)
We are about to turn on SAML tracing in both environments, but any information on the error specified above would be highly appreciated.
Thanks,
Milos
Hi Milos,
The SAML response should be sent by the IdP using an HTTP Post. If instead we receive an HTTP Get etc we throw the exception you’re seeing. Salesforce will be sending an HTTP Post.
I’m not sure why /HttpPost vs /HttpRedirect endpoints would cause this issue. The SingleSignOnServiceUrl is where the SAML authn request is sent when you call InitiateSsoAsync. By default, we send this using the HTTP-Redirect binding so the /HttpRedirect endpoint matches with this. To send the SAMl authn request using the HTTP-Post binding, add the following to the PartnerIdentityProviderConfiguration:
“SingleSignOnServiceUrl”: “https:/***.com/idp/endpoint/HttpPost”,
“SingleSignOnServiceBinding”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
If there’s still an issue, I suggest using the browser developer tools to take a look at the network traffic. You should see an HTTP Post of a SAMLResponse being sent to the endpoint where you call ReceiveSsoAsync. Follow the traffic to see what leads up to the HTTP Get to this endpoint.
If you’re not sure what’s going on, you’re welcome to save the network traffic by exporting the HAR file and sending this as an email attachment to support@componentspace.com.