"Bad SAML Request"


#1

I am attempting to integrate with Okta via Java to enable deep links in my application. When I request a deep link, I am correctly redirected to the Okta login page. After entering username and password, I receive a 400 error with the message “Bad SAML Request”.

I’ve used a SAML validator to check the SAML and it always comes back as a valid request and there is nothing in the application logs to indicate that anything has happened, so I don’t know what’s wrong with my SAML Request. At first I thought the problem was that my redirect URL was not added as a trusted origin, but I added it there and it doesn’t seem to have made a difference.

Could anyone point me in a direction that I can explore to try to fix this error? I’m happy to supply more information if it might help.


#2

Here’s the SAML request I’m using:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="ONELOGIN_8221fb40-e3bf-4904-a7ae-6a8c533647ac" Version="2.0" IssueInstant="2018-09-04T18:39:01Z"
                    Destination="https://dev-770441.oktapreview.com/app/imprevincdev770441_imprevtest_1/exkg3yg8zbzaqbYQy0h7/sso/saml"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="https://remax.devvm.imprev.net/omc/SAMLLogin.ipv">
<saml:Issuer>http://www.okta.com/exkg3yg8zbzaqbYQy0h7</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>```

#3

What SAML lib are you using in your application?


#4

onelogin

I know that OpenSAML is the library mentioned in the documentation, but my company was already using the onelogin library, so I continued with that.


#5

Is there any other context, or log messages on your end when you get the “Bad SAML Request” response?


#6

We log the SAML request before it goes out, but I get nothing when I get the Bad SAML Request response. I just get the error screen on my browser–it would appear that control is never getting back to my application.


#7

Does anything show up in your Okta Admin Console Logs?


#8

Nothing at all.

It’s as if I didn’t even hit the login screen (which it does go through the first time; subsequent tests don’t hit the login screen unless I log out first, so it would appear that the login is working correctly).


#9

Update: if I remove the filters on the logs identifying target.id and target.type then I discover that my logging in (and out) is being logged as logging in to (and out of) Okta, but not into the app, apparently.


#10

Good update! Is there anything useful in the logs?

Feel free to continue the thread here, but at this point I’m going to suggest you contact support if you are still stuck: https://support.okta.com/help/s/ (green “Open a Case” on the button top right)

Keep us posted!


#11

Sadly, no, nothing useful in the logs. I have opened a support ticket. Thank you for your efforts on my behalf. I will definitely let you know what i find out.


#12

It took a while, including meeting with an Okta support representative who didn’t spot the problem in my code, but the problem was simply that I was using HTTP redirect and in the URL parameters, the SAML request was base64 encoded but not URL encoded.