SAML Response Processing Failure - Too Many Requests to ADFS from the Same Browser Session

From DocWiki

Jump to: navigation, search

SAML Response Processing Failure - Too Many Requests to ADFS from the Same Browser Session

Problem Summary SAML Response Processing Failure - Too Many Requests to ADFS from the Same Browser Session
Error Message

Too many requests to ADFS from the same browser session
2016-04-15 16:19:01.220 EDT(-0400) default ERROR
[IdSEndPoints-1] com.cisco.ccbu.ids IdSEndPoint.java:102 - Exception processing
request com.sun.identity.saml2.common.SAML2Exception: Invalid Status code in
Response.
at
com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:425)
at
com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1050)
at
com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(SPACSUtils.java:2038)
at
com.cisco.ccbu.ids.auth.api.IdSSAMLAsyncServlet.getAttributesMapFromSAMLResponse(IdSSAMLAsyncServlet.java:451)
at
com.cisco.ccbu.ids.auth.api.IdSSAMLAsyncServlet.processSamlPostResponse(IdSSAMLAsyncServlet.java:216)
at
com.cisco.ccbu.ids.auth.api.IdSSAMLAsyncServlet.processIdSEndPointRequest(IdSSAMLAsyncServlet.java:155)
at
com.cisco.ccbu.ids.auth.api.IdSEndPoint$1.run(IdSEndPoint.java:178)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at
java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at
java.lang.Thread.run(Thread.java:745)


Check the below logs for more information.

2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] ERROR SAML Response processing failed with exception…

2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] DEBUG com.cisco.ccbu.ids IdSStateManager.java:80 - Health event with id SAML_RESPONSE_FLOW_FAILURE has come from com.cisco.ccbu.ids.auth.api. IdSSAMLAsyncServlet that can potentially change the state from STATE_IN_SERVICE
….
2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] changing the state as current state STATE_IN_SERVICE is different from new state PARTIAL_SERVICE as a result of SAML_RESPONSE_FLOW_FAILURE

Possible Cause

Too many requests to ADFS from the same browser session

Recommended Action
Update ADFS to use SHA-1 for signing and encryption

Update ADFS is to sign both Assertion & Message.
(
Use ADFS powershell command: Get-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier>, to verify that the field SamlResponseSignature is set to MessageAndAssertion

Fix is to run the ADFS powershell command: Set-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier> -SamlResponseSignature "MessageAndAssertion"
)

Upload the correct federation metadata(idp.xml) again.
Enable form authentication in ADFS setting
(
Please refer below articles
http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx

https://blogs.msdn.microsoft.com/josrod/2014/10/15/enabled-forms-based-authentication-in-adfs-3-0/
)

Under ADFS claim rules, attributes mapping for "user_principal" and "uid" are defined as in configuration guide.

After the ADFS configuration changes, run SSO test from IdSAdmin UI from both the nodes to ensure SSO is working as expected.

Release Release 11.5(1)
Associated CDETS # None


Rating: 0.0/5 (0 votes cast)

Personal tools