SAML Response Processing Failure - Error Message in ADFS Event View Log – Wrong Configuration in ADFS

From DocWiki

Jump to: navigation, search

SAML Response Processing Failure - Error Message in ADFS Event View Log – Wrong Configuration in ADFS

Problem Summary SAML Response Processing Failure - Error Message in ADFS Event View Log – Wrong Configuration in ADFS
Error Message
SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 .
Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1

ids.log


Check the log below for more information:

2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] ERROR SAML Response processing failed with exception…

2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] DEBUG com.cisco.ccbu.ids IdSStateManager.java:80 - Health event with id SAML_RESPONSE_FLOW_FAILURE has come from com.cisco.ccbu.ids.auth.api. IdSSAMLAsyncServlet that can potentially change the state from STATE_IN_SERVICE
….
2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] changing the state as current state STATE_IN_SERVICE is different from new state PARTIAL_SERVICE as a result of SAML_RESPONSE_FLOW_FAILURE

Possible Cause

ADFS is configured to use SHA-256.

Recommended Action
Update ADFS to use SHA-1 for signing and encryption

Update ADFS is to sign both Assertion & Message.
(
Use ADFS powershell command: Get-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier>, to verify that the field SamlResponseSignature is set to MessageAndAssertion

Fix is to run the ADFS powershell command: Set-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier> -SamlResponseSignature "MessageAndAssertion"
)

Upload the correct federation metadata(idp.xml) again.
Enable form authentication in ADFS setting
(
Please refer below articles
http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx

https://blogs.msdn.microsoft.com/josrod/2014/10/15/enabled-forms-based-authentication-in-adfs-3-0/
)

Under ADFS claim rules, attributes mapping for "user_principal" and "uid" are defined as in configuration guide.

After the ADFS configuration changes, run SSO test from IdSAdmin UI from both the nodes to ensure SSO is working as expected.

Release Release 11.5(1)
Associated CDETS # None


Rating: 0.0/5 (0 votes cast)

Personal tools