SAML 2 Signature error in ADFS 2.0

0
votes

In our SSO scenario, we are using ADFS 2.0 as IDP and Shibboleth as SP. It is an SP-initiated sign-on. After configuring, when I try to establish communication between Shibboleth and ADFS 2.0(throw browser redirect), ADFS 2.0 is throwing the below error.

The verification of the SAML message signature failed. Message issuer: http://sampleserver/adfs/services/trust Exception details: MSIS1015: Server required signed SAML AuthenticationRequest but no signature present.

Event id - 320 Related Event id - 364

> Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolSignatureVerificationException:
> MSIS1015: Server required signed SAML AuthenticationRequest but no
> signature present.    at
> Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ValidateSignatureRequirements(SamlMessage
> samlMessage)    at
> Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest
> issueRequest)    at
> Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message
> requestMessage)

We haven't used any signature yet. I also have made SignedSamlRequest to false in ADFS properties. Signing of SAML at Shibboleth was also disabled.

I could not find any information in Microsoft site - apart from generic guide for this sort of errors.

Please advice on this error.

1
single-sign-onwifadfs2.0saml-2.0shibboleth

1 Answers

0
votes

I was able to find the solution after a lot analysis. This is a Shibboleth configuration issue. In the application defaults section, the entity ID should be unique to the application.

ApplicationDefaults signing="false" entityID="http://URL of the protected Application " REMOTE_USER="eppn persistent-id targeted-id"

Another variation of this error happens when sigining is set to true. It will result in Signature mismatch error in ADFS.