Any error messages or other hints from UAA about why it can't process dex's request? It's hard to know how to help otherwise.

I don't use UAA, I replce UAA with DEX to integrate with IDP service. there is no logs showing what is wrong in the DEX side.

@jenningsloy318 Can you configure your IdP to expect an AuthnRequest via the HTTP Post Binding? Your expectation,

but for a usable redirect, it should be https://csc-devops-test.<IDP domain>/saml2/idp/sso/csc-devops-test.<IDP domain>?SAMLRequest=va46pbjbpmyt7e22v2wb4j7gz, append ?SAMLRequest=va46pbjbpmyt7e22v2wb4j7gz to the ssoURL, but actually not.

describes the HTTP Redirect Binding, which dex doesn't support (see the docs, and this comment).

More details on bindings can be found here, sections 3.4.5 and 3.5.5.

@srenatus

Thanks,but i find it is difficult to configure at IDP side

@jenningsloy318 I'm afraid the only other option would be to implement the HTTP Redirect Binding in Dex. Not like I know much about any, but what IdP is it? Maybe some passer-by has insights to share...?

@srenatus

It is an IDP provided by SAP, we bought their IDP service alongside with Cloud Foundry service.

@jenningsloy318 I see. Also, I have no idea how to help with that. I'd ask their support for getting help with switching the SAML binding type. (Unless you'd want to implement the Redirect Binding in Dex 😉 )

@srenatus I am a sysadm with poor programming skills, so ...😉

@jenningsloy318 I've taken a stab at it, thinking that it couldn't be too hard to add that Binding. @ericchiang What do you think, could we get this in? 😃 It'll help our users, for sure, by removing this arbitrary restriction when it comes to supporting SAML2.

@srenatus Thanks for your info, hope we can get it resoved soon.

Hey @jenningsloy318

I see you're using on demand solution of SAP Cloud Identity, I had the same error which in fact tells nothing...

In my case this error occurred when :

• I had wrong SP in AuthnRequest url (it has to match name in the SAML2 configuration of your application(Service Provider), you can check it in admin console of your tenant in SCP. I have multiple applications registered, therefore I have to add it as query param in url.

• I did not have proper issuer in AuthnRequest - In dex configmap I had to add entityIssuer property with value of registered SP so it looks like entityIssuer: MY_SP_NAME. If you have your SP registered with name **https://dex.<my domain> ** I think you should change your entityIssuer from **https://dex.<my domain>/callback ** to **dex.<my domain> **

My working dex configuration with SCP IAS :

   config:
        # Issuer for SAML Request
        entityIssuer: dex.{{ .Values.global.domainName }}
        # I have multiple SP registered so I have to specify which one to use in SCP IAS
        ssoURL: https://{{ .Values.idp.tenant }}.{{ .Values.idp.domain}}/saml2/idp/sso?sp=dex.{{ .Values.global.domainName }}
        ca: {{ .Values.idp.ca }}
        redirectURI: https://dex.{{ .Values.global.domainName }}/callback
        usernameAttr: first_name
        emailAttr: mail
        groupsAttr: groups

I did not have to change bindings, I'm using helm, so replace {{ }} with your data

— @DebugIt Thanks for info. I will test it after the vocation.

@DebugIt I tried your recommendations, but still got no luck. Can you advise if I'd make some changes on the IAS side ?