I have a Windows Server 2012 machine, which has Active Directory Federation Services installed to allow it to act as an Identity Provider. I have a Shibboleth Service Provider which is using my IDP to authenticate, however the artifact resolution binding does not appear to be working.
I can confirm that my ADFS configuration database is set up to use SQL server and the artifact resolution endpoint is enabled. I have looked in the artifactstore database and there appears to be a SAML response generated and stored. I have run this through a SAML validator and it is a valid response. The error message that the Shibboleth side returns is:
Identity provider returned a SAML error during artifact resolution.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Requester When I check the ADFS event logs, the error reported is:
The artifact resolution request failed.
Additional Data Exception message: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid.
I have enabled ADFS tracing and this is the only message returned there also. Can anyone help please?
Update - I have run the SAML Tracer while using Firefox and the request sent from the SP to the IDP is as follows (I have removed specifics):
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://xxx.xxx.com/Shibboleth.sso/SAML2/Artifact"
Destination="https://ccc.ccc.co.uk/adfs/ls/"
ID="_1xxxxxxxxxxxxxxx"
IssueInstant="2015-02-19T10:10:53Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://xxx.xxx.com/shibboleth</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1" />
</samlp:AuthnRequest>
There is no response sent via the browser, however ADFS is generating a SAML response and storing it in the adfs artifact database. The response is as follows (specifics removed):
<samlp:Response ID="_1xxxxxxxxxxx" Version="2.0" IssueInstant="2015-02-19T10:11:05.391Z"
Destination="https://xxx.xxx.com/Shibboleth.sso/SAML2/Artifact" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_1xxxxxxxxxxxxxxx" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ccc.ccc.co.uk/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_dxxxxxxxxxxx" IssueInstant="2015-02-19T10:11:05.282Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://ccc.ccc.co.uk/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_dxxxxxxxxxxx">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>xxxxxxxxxx=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxxxxxxx</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>xxxxxxxxxxxxxxxxxx==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="http://ccc.ccc.co.uk/adfs/services/trust"
SPNameQualifier="http://xxx.xxx.com/shibboleth">
xxxxxxxxxxxx=
</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_1xxxxxxxxxxx" NotOnOrAfter="2015-02-19T10:16:05.407Z"
Recipient="https://sp.cobweb.secure-dimensions.de/Shibboleth.sso/SAML2/Artifact" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-02-19T10:11:05.188Z" NotOnOrAfter="2015-02-19T18:11:05.188Z">
<AudienceRestriction>
<Audience>
https://xxx.xxx.com/shibboleth
</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2015-02-19T10:11:03.766Z" SessionIndex="_dxxxxxxxxxx">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
I have the response as a basic one with just the NameID and no attributes at the moment as I get the same error message regardless of whether they are there or not. Thanks,
Fran