<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009uKpumCACOkta Classic EngineSingle Sign-OnAnswered2025-02-01T09:00:19.000Z2024-01-01T11:38:04.000Z2024-01-08T23:00:36.000Z

49qd9 (49qd9) asked a question.

Edited January 1, 2024 at 11:38 AM
AuthN SAML request - 400 bad request for certain SAML IDs

We have encountered an intermittent issue in our SAML integration where we receive a 400 Bad Request response from Okta, specifically related to certain SAML ID attributes. We have noticed that for some ID values, the authentication process works seamlessly, while for others, it results in a 400 Bad Request.

 

authn request example:

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://" ForceAuthn="true" ID="FSM_3167184649562896494" IssueInstant="2023-12-25T10:33:18.746Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">

<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">test</saml2:Issuer>

</saml2p:AuthnRequest>

 

 

To provide more context, here are examples of SAML ID attributes that are working and not working:

Working IDs:

  • FAG_123456781
  • FSM_123456781
  • FSM_123456789
  • _2b16caecb21804d0271c7b45734978a31b122c0b9a

 

Not Working IDs:

  • FA_123456781
  • F_123456781
  • FSM_12345678
  • FSM_123456
  • _2b16caecb21804d0271c7b45734978a31b122c0b9

Could you please provide guidance on Okta's expectations for SAML ID attributes and any specific considerations that might influence the intermittent nature of the 400 Bad Request responses?

 

Thank you for your assistance in resolving this issue:)

  • 1 answer
  • 334 views

  • Mihai N. (Okta, Inc.)

    Hi @49qd9 (49qd9)​ , Thank you for reaching out to the Okta Community! 

     

    If we’re discussing a custom deployment and a non-OIN app, this question is more appropriate for our dedicated Okta Developer Forum.

    My advice would be to reach out devforum.okta.com to take advantage of their expertise.  

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work). 

    That being said, I’ve been looking into this and haven’t found any indication that there is any specific restriction for the SAML IDs. 

    The “400 Bad Request” error is unfortunately very vague and common for various reasons that typically have to do with a malformed request, so I recommend reviewing the configuration to see if perhaps the IDs are a red herring and the root cause being some other part of the configuration. 

    If the 400 error is on the Okta side, I recommend checking the System Logs for any additional details that might indicate what is missing or misconfigured. 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    Earn Today: New Okta Community Badges Have Arrived

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @49qd9 (49qd9)​ , Thank you for reaching out to the Okta Community! 

     

    If we’re discussing a custom deployment and a non-OIN app, this question is more appropriate for our dedicated Okta Developer Forum.

    My advice would be to reach out devforum.okta.com to take advantage of their expertise.  

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work). 

    That being said, I’ve been looking into this and haven’t found any indication that there is any specific restriction for the SAML IDs. 

    The “400 Bad Request” error is unfortunately very vague and common for various reasons that typically have to do with a malformed request, so I recommend reviewing the configuration to see if perhaps the IDs are a red herring and the root cause being some other part of the configuration. 

    If the 400 error is on the Okta side, I recommend checking the System Logs for any additional details that might indicate what is missing or misconfigured. 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    Earn Today: New Okta Community Badges Have Arrived

    Expand Post
    Selected as Best
This question is closed.
Loading
AuthN SAML request - 400 bad request for certain SAML IDs