SAML SSO error: opensaml::BindingException
SAML SSO error: opensaml::BindingException at (https://sso.smartsheet.com/Shibboleth.sso/SAML/POST) Request missing SAMLResponse or TARGET form parameters
This error occurs when you attempt to log in to Smartsheet with SAML. It frequently appears during the initial setup of SAML.
- Go to Smartsheet login page.
- Select Your Company Account.
- Enter IdP credentials.
- IdP attempts to redirect the user to Smartsheet but the error message appears.
This error can occur even if everything in the assertion appears to be correct (Certificate, Audience Restriction, NameID/Persistent ID, Email Address attribute).
This error occurs if the IdP tries to redirect the user to https://sso.smartsheet.com/Shibboleth.sso/SAML/POST instead of https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST. This redirect is dependent upon the Assertion Consumer Service (ACS) URL that is configured for Smartsheet in the customer's IdP.
Some identity providers, such as Citrix ADC, try to automatically parse the ACS URL from the Smartsheet Service Provider Metadata XML here: https://www.smartsheet.com/sites/default/files/smartsheet-saml2-sp-metadata.xml
Within the Smartsheet metadata, there are four AssertionConsumerService Bindings with the following definitions:
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" | Used for SAML2 assertions (this is the one that's used by SAML 2.0 in 99% of configurations)
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" | Used for SAML 2 alternative to HTTP-POST with an alternate signing mechanism (See here http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-binding-simplesign-cd-02.html)
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" | Reverse SOAP endpoint for SAML 2
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" | SAML 1 POST endpoint for SAML 1 assertions
Although the SP metadata XML contains ACS Bindings that are valid for SAML 1.0, Smartsheet requires the use of SAML 2.0
In the case of Citrix ADC, the IdP was automatically grabbing the incorrect ACS Binding for SAML 1.0 even though Citrix uses SAML 2.0. Work with your IdP provider. Alert them that the automatic ACS Binding selection is incorrect and would need to manually define the ACS URL instead.
To resolve this error, have your IdP admin ensure they've configured the ACS URL with the correct URL: https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST
Check your configuration settings, as follows:
- ACS URL: https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST
- Audience restriction: https://sso.smartsheet.com/saml
- Validate your certificates: https://redkestrel.co.uk/products/decoder/
- Persistent ID and Email Address claim use supported formats? https://help.smartsheet.com/articles/2476671-saml-assertion-supported-claims