ComponentSpace

Forums



SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations


SAML authentication request for the WebSSO profile must not specify...

Author
Message
LacLacey
LacLacey
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 5, Visits: 48
I'm developing ADFS related project with SAML 2.0 protocol. My application is acting as ServiceProvider. When I typed my credentials and clicked on sign in button, an error occurred. The error statement is An error occurred. Contact your administrator for more information. When I checked the Event Viewer of my windows Server 2012 at which ADFS is installed, it displays the below error detail



Data Saml

Data http://DomainName/adfs/services/trust

Data Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureVerificationException: MSIS7075: SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Please ensure that the SAML authn request sent to ADFS is signed.

To do so, in your saml.config set SignAuthnRequest="true" for the <PartnerIdentityProvider>.

The local certificate/private key configured under the <ServiceProvider> is used to sign the authn request.

Please ensure that the certificate configured in ADFS under the relying party's properties Signature tab corresponds to the private key used for signing. 

Regards
ComponentSpace Development
LacLacey
LacLacey
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 5, Visits: 48
ComponentSpace - 6/30/2020
Please ensure that the SAML authn request sent to ADFS is signed.

To do so, in your saml.config set SignAuthnRequest="true" for the <PartnerIdentityProvider>.

The local certificate/private key configured under the <ServiceProvider> is used to sign the authn request.

Please ensure that the certificate configured in ADFS under the relying party's properties Signature tab corresponds to the private key used for signing. 

below image is Signature Tab under the Relying Party Trust


below image is Certificate which is using into my application(Service Provider) SAML.Config file under <PartnerIdentityProvider> tag. Relying Party Trust Signature and Certificate which is using into my application(Service Provider) SAML.Config file under <PartnerIdentityProvider> tag, both have same Thumbprint.
https://www.componentspace.com/Forums/Uploads/Images/a75c6be7-eec5-4f94-a6fd-1ba0.png

below image is SAML.Config file of application(Service Provider)


which certificate needs to be exported as .pfx extention under <Service Provider> tag ????

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The ADFS signing certificate should be configured as the partner certificate in your saml.config. ADFS will sign SAML messages with its private key and the corresponding partner certificate under the <PartnerIdentityProvider> section of saml.config is used to verify these signatures.

Similarly, your service provider will sign SAML messages with the local certificate private key under the <ServiceProvider> section of saml.config. ADFS will use the corresponding certificate configured under the Signature tab of the properties for your relying party.

Therefore, in your example sp.pfx is used to signed messages sent to ADFS. The corresponding sp.cer should be configured under the Signature tab of the relying party.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search