HTTP ERROR 400 when logging in via SAML - Description and Resolution
Description:
When logging into the application via SAML, the following error occurs even when the configurations are accurate.
Overview:
When you see an HTTP ERROR 400 during a SAML login, it means there’s a "Bad Request" error. This error occurs because the server can’t understand the request due to incorrect syntax or parameters. This is a client-side error that suggests there is an issue with the request sent by the client. Let’s look at how to fix this problem.
Error traces:
In this scenario, the serverout logs may not provide specific details, and the relevant traces are found in the security logs. You might see traces similar to the following:
[SAMLResponse] for the URI : POST : /Error| [12:15:13:923]|[05-08-2023]|[com.adventnet.iam.security.SecurityResponseWrapper]|[SEVERE]|[63]: CORS request "/Error" from origin : "https://login.microsoftonline.com" is not allowed| [12:15:13:923]|[05-08-2023]|[com.adventnet.iam.security.IAMSecurityException]|[INFO]|[63]: IAMSecurityException ErrorCode: UNAUTHORIZED_CORS_REQUEST, RequestURI: "/Error", RemoteAddr: "10.95.33.181", Referrer: "https://login.microsoftonline.com/"| [12:15:13:923]|[05-08-2023]|[com.adventnet.iam.security.SecurityFilter]|[SEVERE]|[63]: IAMSecurityException Error Code : UNAUTHORIZED_CORS_REQUEST | [12:15:13:923]|[05-08-2023]|
Resolution:
Include the URL https://login.microsoftonline.com in the Security Headers under Access Control Allow Origin. This will allow responses from this URL.
After updating the security headers, restart the application services to apply the changes.
New to ADSelfService Plus?
Related Articles
SAML FAQ's
Please find the list of frequently asked queries in SAML 1. I have enabled SAML but still could not find a way to log in using SAML Since the application has multi-tenant feature there are certain security added to the SAML login. In a SAML ...Configuring SAML with ADFS
Step 1: Open the ADFS management application Step 2: Right-click Relying Party trust and choose Add Relying Party Trust. The Add Relying Party Trust Wizard opens. Step 3: Choose Claims Aware and click Start Step 4: Choose Enter data about the relying ...SAML | Configure KeyCloak as IDP
Setting up KeyCloak Download KeyCloak from their official website (Used v25 here). Open conf/keycloak.conf and enter the hostname Run sh kc.sh start-dev Create a user and login at http://localhost:8080 Setting up the IDP: To enable logging, go to ...Login diectly with SAML / Query to enable AD or Local Auth when there is an issue with SAML
Issue: When users have AD and/or local authentication enabled along with SAML, the login page is shown when a link from an email is clicked and users need to click "Login with SAML" again. Workaround 1: You can bookmark, <sdp_url>/SamlRequestServlet ...The Saml Error code 50 appears when multiple URLs are used for the SDP
Issue: When multiple URLs are used for the application, SAML authentication fails on the first attempt. Fix: The issue is resolved by redirecting to the alias URL before triggering the /SamlRequest call. ISSUE ID: SD-124988 Resolution: The fix for ...