SAML Response Processing Failure - ADFS not Configured with the Appropriate Claim Rules

From DocWiki

Jump to: navigation, search

SAML Response Processing Failure - ADFS not Configured with the Appropriate Claim Rules

Problem Summary SAML Response Processing Failure - ADFS not Configured with the Appropriate Claim Rules
Error Message

java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at
java.lang.Thread.run(Thread.java:745)


Check the below logs for more information.

2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] ERROR SAML Response processing failed with exception…

2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] DEBUG com.cisco.ccbu.ids IdSStateManager.java:80 - Health event with id SAML_RESPONSE_FLOW_FAILURE has come from com.cisco.ccbu.ids.auth.api. IdSSAMLAsyncServlet that can potentially change the state from STATE_IN_SERVICE
….
2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] changing the state as current state STATE_IN_SERVICE is different from new state PARTIAL_SERVICE as a result of SAML_RESPONSE_FLOW_FAILURE

Possible Cause

Mandatory attribute mappings are missing. These attributes are "user_principal" and "uid"

Recommended Action
Update ADFS to use SHA-1 for signing and encryption

Update ADFS is to sign both Assertion & Message.
(
Use ADFS powershell command: Get-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier>, to verify that the field SamlResponseSignature is set to MessageAndAssertion

Fix is to run the ADFS powershell command: Set-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier> -SamlResponseSignature "MessageAndAssertion"
)

Upload the correct federation metadata(idp.xml) again.
Enable form authentication in ADFS setting
(
Please refer below articles
http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx

https://blogs.msdn.microsoft.com/josrod/2014/10/15/enabled-forms-based-authentication-in-adfs-3-0/
)

Under ADFS claim rules, attributes mapping for "user_principal" and "uid" are defined as in configuration guide.

After the ADFS configuration changes, run SSO test from IdSAdmin UI from both the nodes to ensure SSO is working as expected.

Release Release 11.5(1)
Associated CDETS # None


Rating: 0.0/5 (0 votes cast)

Personal tools