SAML SSO error: opensaml::BindingException

Applies to

Smartsheet
  • Enterprise

Symptom

SAML SSO error: opensaml::BindingException at (https://sso.smartsheet.com/Shibboleth.sso/SAML/POST) Request missing SAMLResponse or TARGET form parameters

This error occurs when you attempt to log in to Smartsheet with SAML. It frequently appears during the initial setup of SAML.

  1. Go to Smartsheet login page.
  2. Select Your Company Account.
  3. Enter IdP credentials
  4. IdP attempts to redirect the user to Smartsheet but the message error appears. 

This error can occur even if everything in the assertion appears to be correct (Certificate, Audience Restriction, NameID/Persistent ID, Email Address attribute).

Cause

This error occurs if the IdP tries to redirect the user to https://sso.smartsheet.com/Shibboleth.sso/SAML/POST instead of https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST. This redirect is dependent upon the Assertion Consumer Service (ACS) URL that is configured for Smartsheet in the customer's IdP.

Some identity providers, such as Citrix ADC, will try to automatically parse the ACS URL from the Smartsheet Service Provider Metadata XML here: https://www.smartsheet.com/sites/default/files/smartsheet-saml2-sp-metadata.xml

Within the Smartsheet ,etadata, there are four AssertionConsumerService Bindings with the following definitions:

  • Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" | Used for SAML2 assertions (this is the one that is used by SAML 2.0 in 99% of configurations)
  • Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" | Used for SAML 2 alternative to HTTP-POST with an alternate signing mechanism (See here http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-binding-simplesign-cd-02.html
  • Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" | Reverse SOAP endpoint for SAML 2
  • Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" | SAML 1 POST endpoint for SAML 1 assertions

Although the SP metadata XML contains ACS Bindings that are valid for SAML 1.0, Smartsheet requires the use of SAML 2.0

In the case of Citrix ADC, the IdP was automatically grabbing the incorrect ACS Binding for SAML 1.0 even though Citrix uses SAML 2.0. Work with your IdP provider. Alert them that the automatic ACS Binding selection is incorrect, and would need to manually define the ACS URL instead.

Resolution

To resolve this error, have your IdP admin ensure configured the ACS URL with the correct URL: https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST

Check your configuration settings, as follows: