This post is just a community service so that everyone is aware of an issue with the way that APEX constructs its metadata.xml which can prevent successful "handshaking" with various iDp providers.
The Service Provider (application) and the Identity provider (iDP) have exchanged SAML metadata and then configured it in their respective systems. However, the iDP is returning an error:
ERROR: authn request destination verification failed for IdpEntity: cac-idp
It appears that the underlying cause of this error is that Oracle Apex is missing the Destination attribute in the SAML request. Per the spec, this is a required attribute when the requests are signed, i.e. AuthnRequestsSigned="true".
We engaged the Oracle support team to participate in a working session with us and we verified all of the configuration settings. They then then captured all the information needed and agreed that this as a bug (Bug 33852475).
They are currently working on a solution, under this bug reference, to to add the attribute “Destination” in the XML SAML metadata generated by Oracle Apex. The bug is now at status 80, i.e. coding is complete and the fix has been sent to QA.
I'm not sure who else might be affected by this but, thought it might be worthwhile to pass it along. Our iDP is hosted internally and is running on ForgeRock's OpenAM. However, we suspect this is probably affecting other providers as well.
-Joe
@darren-j , @sbrennan, FYI