I'm trying to setup a web SAML login on Domino server. I received the SAML 2.0 metadata XML file from the identity provider which is Oracle Identity Federation 11g.
I imported the metadata to a IdP configuration document and got the first phase of the login to work so that the user is redirected to IdP server for login.
When the login at IdP is done I'm redirected back to Domino server and get "Error 400
HTTP Web Server: Bad SAML Request". I have tried DEBUG_SAML notes.ini setting with different numbers and finally all combined: DEBUG_SAML=11199. This is shown on server console:
ProduceSaml2ADFSReply: https://oracle-idp-site.net/fed/idp/initiatesso?providerid=http://mytestsite.fi&returnurl=http://mytestsite.fi/dev/ph/xp.nsf/test.xsp&loginToRp=http://mytestsite.fi
Relay state is not equal [1575470014] - [http://mytestsite.fi/dev/ph/xp.nsf/test.xsp], url decoded/decripted [
http://mytestsite.fi/dev/ph/xp.nsf?$$_vrd2=95ed6770a665e89b35e0a74c03e6b463-b4cea507-ysrLzM3LyMx47oPqJm7hhAT%2FwyC%2BkYQ8GVN1HA%2BVb2FnIek6KcAxlr%2FzuOW018x5SUc5ULLb0zLZs3avb0UaT4t%2FepmI%2FcR29lrkKXIa9lxT9XvViDytNdpVObJG]
Could not decode cookie. Dump post data:
PostFieldName - SAMLResponse - Data -
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vZGV2LnNvdmVsbHVzdGFsby5maS9uYW1lcy5uc2Y/U0FNTExvZ2luIiBJRD0iaWQtcnpaeUlWRmY3a3BLMFR1SGVMeTR5T3RnaGFJLSIgSXNzdWVJbnN0YW50PSIyMDEzLTA5LTE5V
PostFieldName - RelayState - Data - http://mytestsite.fi/dev/ph/xp.nsf/test.xsp
19.09.2013 15:17:19 HTTP Web Server: Bad SAML Request [/names.nsf?SAMLLogin] Anonymous
I end up to URL http://mytestsite.fi/names.nsf?SAMLLogin with the Error 400 mentioned above. As "Single sign-on service URL" I have:
This is the URL structure that works with the Oracle product. Federation product in IdP configuration document was set to ADFS when I imported the metadata but I have also tried with TFIM.
The reason for the failure seems to be "Relay state is not equal" or "Could not decode cookie" but what can be done about them?
EDIT 2013-09-26
IBM support refused to help me because Domino only supports MS AD and IBM TFIM as IdP. I thought SAML is a standard.
Best Answer
We had same error, found that the x509 cert in the IdP Config wasn't imported or copied in correctly. We copied directly out of XML file into notepad, removed any spaces or line breaks and pasted back into the config file. Restart HTTP and it resolved.