Q: Touchstone - Error decoding Shibboleth SSO request

I got the following Touchstone error, what does it mean?

MIT Touchstone Identity Provider Error

The Touchstone Identity Provider encountered the following error while processing your request:

Error decoding Shibboleth SSO request

One cause of this error is an attempt to access the Touchstone Identity Provider login page directly; such direct access is not supported. Please ensure that you do not visit this page directly, including via a bookmark, or by using the back button, or by selecting it from your browser history. To log in to a particular web server, please visit that server first.

Answer

Unfortunately this is normal and expected behavior due to the way Touchstone and the underlying SAML protocols work. When using the back button, you may get this error if you navigate directly back to a Touchstone service page. Another thing that can cause this is bookmarking a URL from the middle of the Touchstone login flow.

Solution: don't bookmark URLs from the middle of the Touchstone login flow or use breadcrumbs to navigate backward on pages using Touchstone for authentication.

Bookmark the URL from just before Touchstone login, or ask for help to learn what URL is safe to bookmark. The safe URL can vary, depending on what website you are trying to reach.

Example of a bad bookmark https://idp.mit.edu:446/idp/profile/Shibboleth/SSO