FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SAML authnRequest exception

    Scheduled Pinned Locked Moved
    General Discussion
    2
    2
    266
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      james.hudson
      last edited by

      Hello,

      I am trying to implement FusionAuth as idP for an application (SuiteCRM) and am getting an error at the redirect.

      I am running FusionAuth (1.62.1) in Docker for testing but get the same error on our staging instance.

      The error is:

      FusionAuth encountered an exception while processing the SAML v2 AuthnRequest.
The request originated from: 172.19.0.1.

SAMLRequest: PHNhbWxwOkF1dGhuUmVxdWVzdAogICAgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIKICAgIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iCiAgICBJRD0iT05FTE9HSU5fMjdiZTYyM2QwZTBjYzEwZWMyMzgyNjZlYWRlMmQwNDc2Nzk4MzEyZiIKICAgIFZlcnNpb249IjIuMCIKICAgIFByb3ZpZGVyTmFtZT0iRXhhbXBsZSIKICAgIElzc3VlSW5zdGFudD0iMjAyNi0wMi0xOVQxNToxMzo1N1oiCiAgICBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo5MDEzL3NhbWx2Mi9sb2dpbi9lZTBkOThiNS0wZDdjLTExZjEtODIwMC0zNjRkM2JmYzg5YWYiCiAgICBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiCiAgICBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHA6Ly9sb2NhbGhvc3Qvc2FtbC9hY3MiPgogICAgPHNhbWw6SXNzdWVyPmh0dHA6Ly9sb2NhbGhvc3Qvc2FtbC9sb2dpbjwvc2FtbDpJc3N1ZXI+CiAgICA8c2FtbHA6TmFtZUlEUG9saWN5CiAgICAgICAgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCIKICAgICAgICBBbGxvd0NyZWF0ZT0idHJ1ZSIgLz4KPC9zYW1scDpBdXRoblJlcXVlc3Q+

Exception:
io.fusionauth.samlv2.domain.SAMLException: Invalid AuthnRequest. Inflating the bytes failed.
  at io.fusionauth.samlv2.util.SAMLTools.decodeAndInflate(SAMLTools.java:168)
  at io.fusionauth.samlv2.service.DefaultSAMLv2Service.parseRequestRedirectBinding(DefaultSAMLv2Service.java:641)
  at io.fusionauth.api.service.samlv2.DefaultSAMLv2ProviderService.parseAuthNRedirectRequest(DefaultSAMLv2ProviderService.java:314)
  at io.fusionauth.app.action.samlv2.LoginAction.lambda$get$0(LoginAction.java:101)
  at io.fusionauth.app.action.samlv2.BaseSAMLAction.handleSAMLException(BaseSAMLAction.java:111)
  at io.fusionauth.app.action.samlv2.LoginAction.get(LoginAction.java:98)
  at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
  at java.base/java.lang.reflect.Method.invoke(Method.java:580)
  at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:443)
  at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:77)
  at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:60)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:50)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:45)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:49)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:74)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:58)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:92)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:50)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:130)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:65)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.cors.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:68)
  at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
  at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:109)
  at org.primeframework.mvc.PrimeMVCRequestHandler.handle(PrimeMVCRequestHandler.java:76)
  at io.fusionauth.http.server.internal.HTTPWorker.run(HTTPWorker.java:183)
  at java.base/java.lang.VirtualThread.run(VirtualThread.java:329)
Caused by: java.util.zip.DataFormatException: invalid code lengths set
  at java.base/java.util.zip.Inflater.inflateBytesBytes(Native Method)
  at java.base/java.util.zip.Inflater.inflate(Inflater.java:376)
  at java.base/java.util.zip.Inflater.inflate(Inflater.java:470)
  at io.fusionauth.samlv2.util.SAMLTools.decodeAndInflate(SAMLTools.java:158)
  ... 37 more

      Using the Onelogin decoder tool (https://www.samltool.com/decode.php) the request seems valid and is shown below:

      <samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN_5d10bafc7b1602cbb1ac37c509e360e855819860"
    Version="2.0"
    ProviderName="Example"
    IssueInstant="2026-02-19T14:49:55Z"
    Destination="http://localhost:9013/samlv2/login/ee0d98b5-0d7c-11f1-8200-364d3bfc89af"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://localhost/saml/acs">
    <saml:Issuer>http://localhost/saml/login</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        AllowCreate="true" />
</samlp:AuthnRequest>

      In SuiteCRM I am following the directions in the manual here:
      [https://docs.suitecrm.com/8.x/admin/configuration/saml/8.7.0-saml-configuration/](link url)

      If anyone has any ideas what I am doing wrong?

      Thanks.

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @james.hudson
        last edited by

        @james-hudson You may want to check out this blog post. Hopefully that can help.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post