Redirect in metadata
Just realized that NAM tries to post into the redirect endpoint if metadata contains different endpoints for post/redirect . i.e:
md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://xx/idp/profile/SAML2/Redirect/SSO" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xx/idp/profile/SAML2/POST/SSO" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
Having different endpoints for post/redirect is a pretty common scenario when working with shibboleth.
Removing the HTTP-Redirect element from metadata makes it work, but it is a lot of work when using a metadata feed.
Re: Redirect in metadata
Nam is SP in this case. I'm sorry for not providing a trace.. but the problem is submitted as bug:1139552
It can be reproduced by importing metadata feed from i.e. http://eid.svelegtest.se/metadata/mdx/role/idp.xml and use one of the IDP that has two SingleSignOnService elements and where the redirect binding element is before the post element in metadata...
NAM is then trying to post into the redirect endpoint, which returns a http 400 error. (redirect should be http GET) When removing the redirect element from metadata or place the post before redirect it works as expected.
best regards Magnus