Error Setting up OpenID to connect to SAML Identity Provider

I am trying to setup a openID client with a SAML identity provider on a Shibboleth server. When I click on the link to use this SSO it forwards me to the server and gives me the error: “The login service was unable to identify a compatible way to respond to the requested application…”

On the Shibboleth server the log says:

2021-04-05 11:09:11,781 - - WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party '[':]( EndpointCriterion [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect, Location=, trusted=false]
2021-04-05 11:09:11,789 - - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: EndpointResolutionFailed

It indicates to me that I have it misconfigured on the server, but where the change needs to be made is unclear.


I had a similar issue when using Shibboleth as an upstream IdP. Solution was to set “HTTP-POST Binding Response” to “ON” in the Keycloak Identity Provider SAML configuration section. The SAML assertions cannot be send via HTTP-redirect from Shibboleth to Keycloak, it’s too much data.

Regards, Matthias