SAML authentication request processing error: "Unable to complete request at this time. (Destination url validation failed-)"

  • 7008669
  • 31-May-2011
  • 26-Apr-2012


Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server


Access Manager acting as a SAML2 Identity (IDP) server. A 3rd party Service provider (SP) is setup to authenticate against the Novell IDP server. After exchanging metadata and defining the appropriate configuration settings, users try and access the SP application using their browsers. The SP generates the Authentication Request (AuthnRequest) to the IDP server and instead of getting the IDP login page, the following error is displayed on the browser:

Error:Unable to complete request at this time. (Destination url validation failed-E1E240D48F834C12)

where E1E240D48F834C12 corresponds to the device ID of the IDP server and will be different for all Access Manager setups.


Modified the SP configuration so that the IDP referenced URLs match that of the IDP server.

In our specific example, the incoming Authentication Request had a Destination header of


The IDP servers local metadata URLs were the same as the above URL, but the case sensitivity was different. The IDP advertised it's baseURL as where the idp was all lower case. The resulting check for the Destination URL validity failed and caused the above error to be reported.


Additional Information

Incoming AUthnRequest looked like:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_fa30136e4799de1d52672217b4b9dd6b156860ed7c" Version="2.0" IssueInstant="2011-05-31T08:00:12Z" Destination="" AssertionConsumerServiceURL=""
 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer></saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"/><samlp:RequestedAuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2

Since the Destination URL did not match what was setup on the IDP server itself (SingleSignOn service is, the following error would get reported in the catalina.out file (assuming that component level logging was set to DEBUG for SAML2)

Warning: Invalid resource key: Destination url validation failed. No prefix!
Warning: Invalid resource key: Destination url validation failed. No prefix!
<amLogEntry> 2011-05-31T08:00:13Z INFO NIDS Application: AM#500105039: AMDEVICEID#E1E240D48F834C12: AMAUTHID#BD61A225B8F05EFD73D04D698C0EB50C:  Error on session id BD61A225B8F05EFD73D04D698C0EB50C, error Destination url validation failed-E1E240D48F834C12, Unable to complete request at this time.  Destination url validation failed </amLogEntry>

This string came from the IDP metadata URLs defined on the SAML2 SP, and specifically the SingleSIgnOnService URL.

 'SingleSignOnService' => '',

Changing this to be  'SingleSignOnService' => '' fixed the issue.