General

This error means that the SP requested that the SAML response be sent to it at an AssertionConsumerService location that is not authorized for use by that SP according to the MetaData available to the IdP. This check is performed to ensure that user information is only supplied to locations known to be part of a given service. You can think of it as an approach to mitigate phishing attacks.

It truncates the request at the IdP and there are never any log messages related to it on the SP side because nothing ever gets sent to it.

To correct the problem, the SP deployer must determine if the value it is sending in the shire parameter to the IdP is correct/intended. If it is, then the MetaData for that SP needs to be corrected at the IdP (or perhaps by a federation that is supplying that MetaData). You may need to follow a defined process to register new or changed locations with the IdP.

If it is not correct, then the SP is misconfigured. Refer to the topic on RedirectGeneration for some possible advice on the subject.

TestShib related

If you encounter this error trying out services provided by: https://www.testshib.org/, the error is probably in the shibboleth.xml file. Even though the file provided by testshib.org should work by default, it doesn't if you fail to enter your hostname before pressing the generate-button. It's logically grouped with the windows checkbox, so errors can happen Make sure that the following setting are correct:

 <Applications id="default" providerId="https://yourdomain/shibboleth/testshib/sp"
                homeURL="https://yourdomain/index.html"
                xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">