SAML SSO error: opensaml::BindingException

Symptom

SAML SSO error: opensaml::BindingException at (https://sso.smartsheet.com/Shibboleth.sso/SAML/POST) Request missing SAMLResponse or TARGET form parameters

This error occurs when attempting to log in to Smartsheet with SAML. It frequently appears during the initial setup of SAML.

1. Go to the Smartsheet login page.
2. Select Your Company Account.

3. Enter IdP credentials.

   IdP attempts to redirect the user to Smartsheet, but the error message appears. 

This error can occur even if everything in the assertion appears to be correct (Certificate, Audience Restriction, NameID/Persistent ID, Email Address attribute).

Cause

This error occurs if the IdP tries to redirect the user to https://sso.smartsheet.com/Shibboleth.sso/SAML/POST instead of https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST. This redirect depends upon the Assertion Consumer Service (ACS) URL configured for Smartsheet in the customer's IdP.

Some identity providers, such as Citrix ADC, try to automatically parse the ACS URL from the Smartsheet Service Provider Metadata XML here: https://www.smartsheet.com/sites/default/files/smartsheet-saml2-sp-metadata.xml

Within the Smartsheet metadata, there are four Assertion Consumer Service Bindings with the following definitions:

• Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" — Used for SAML2 assertions. This is the one that's used by SAML 2.0 in 99% of configurations.
• Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" — Used for SAML 2 alternative to HTTP-POST with an alternate signing mechanism. See here: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-binding-simplesign-cd-02.html) 
• Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" — Reverse SOAP endpoint for SAML 2
• Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" — SAML 1 POST endpoint for SAML 1 assertions

Although the SP metadata XML contains ACS Bindings that are valid for SAML 1.0, Smartsheet requires the use of SAML 2.0

In the case of Citrix ADC, the IdP was automatically grabbing the incorrect ACS Binding for SAML 1.0 even though Citrix uses SAML 2.0. Work with your IdP provider. Alert them that the automatic ACS Binding selection is incorrect and that they would need to manually define the ACS URL instead.

Resolution

To resolve this error, have your IdP admin ensure they've configured the ACS URL with the correct URL: https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST

Check your configuration settings as follows:

• ACS URL: https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST
• Audience restriction: https://sso.smartsheet.com/saml
• Validate your certificates: https://redkestrel.co.uk/products/decoder/
• Persistent ID and Email Address claim use supported formats? https://help.smartsheet.com/articles/2476671-saml-assertion-supported-claims