Federation login failed with error 400

Document ID : KB000040960
Last Modified Date : 02/04/2018
Show Technical Document Details
Issue:

ISSUE:

SP-initiated SSO is failing with error 400 - Reason: UNSUPPORTED_AUTHN_REQUEST_BINDING.

 logs.PNG

Environment:
Product
  • CA Single Sign-On

Releases
  • CA Single Sign-On:Release:12.52 >
Cause:
Siteminder 12.52 release onward supports SAML 2.0 HTTP-POST Authentication Binding in addition to HTTP-Redirect Binding.
With older Siteminder release (IdP), that does not support SAML 2.0 HTTP-POST Authentication Binding, HTTP-Redirect Binding is used by default. Hence, if Service Provider sent AuthnRequest via HTTP-POST binding, Federation login failed at Siteminder (IdP) with this error 400.
If you are getting the same error with Siteminder release that support SAML 2.0 HTTP-POST Authentication Binding, it's likely that IdP has not configured to allow HTTP-POST Authentication Binding.
 
Resolution:
Check the Siteminder Policy Server, SPS/WAOP or Federation Manager version.
If Siteminder version is lower than R12.52 release, upgrade Siteminder components to the supported release or configure Service Provider to use HTTP-Redirect binding to send the authentication request.
 
If Siteminder version is at supported release, ensure that Authentication Request Binding is set to HTTP-POST at the IdP->SP Partnership.
NOTE: To enable HTTP-POST, you MUST set up a session store at the IdP side. Here is the direct link within the CA SSO docs that explains requirements and set up for this type of configuration:  https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/partnership-federation/saml-2-0-only-configurable-features/enable-saml-2-0-http-post-binding

If you do not want to set up a session store or use HTTP-POST, then you would need to have HTTP-Redirect Authn binding enabled at the SP side.
Additional Information:
https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/partnership-federation/saml-2-0-only-configurable-features/enable-saml-2-0-http-post-binding