Microsoft ADFS IDP SAML Issue

1
votes

I have a Windows Server 2012 machine, which has Active Directory Federation Services installed to allow it to act as an Identity Provider. I have a Shibboleth Service Provider which is using my IDP to authenticate, however the artifact resolution binding does not appear to be working.

I can confirm that my ADFS configuration database is set up to use SQL server and the artifact resolution endpoint is enabled. I have looked in the artifactstore database and there appears to be a SAML response generated and stored. I have run this through a SAML validator and it is a valid response. The error message that the Shibboleth side returns is:

Identity provider returned a SAML error during artifact resolution.

Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Requester When I check the ADFS event logs, the error reported is:

The artifact resolution request failed.

Additional Data Exception message: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid.

I have enabled ADFS tracing and this is the only message returned there also. Can anyone help please?

Update - I have run the SAML Tracer while using Firefox and the request sent from the SP to the IDP is as follows (I have removed specifics):

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL="https://xxx.xxx.com/Shibboleth.sso/SAML2/Artifact"
                    Destination="https://ccc.ccc.co.uk/adfs/ls/"
                    ID="_1xxxxxxxxxxxxxxx"
                    IssueInstant="2015-02-19T10:10:53Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                    Version="2.0"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://xxx.xxx.com/shibboleth</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="1" />
</samlp:AuthnRequest>

There is no response sent via the browser, however ADFS is generating a SAML response and storing it in the adfs artifact database. The response is as follows (specifics removed):

<samlp:Response ID="_1xxxxxxxxxxx" Version="2.0" IssueInstant="2015-02-19T10:11:05.391Z" 
	Destination="https://xxx.xxx.com/Shibboleth.sso/SAML2/Artifact" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" 
	InResponseTo="_1xxxxxxxxxxxxxxx" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
	<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ccc.ccc.co.uk/adfs/services/trust</Issuer>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
		</samlp:Status>
		<Assertion ID="_dxxxxxxxxxxx" IssueInstant="2015-02-19T10:11:05.282Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
			<Issuer>http://ccc.ccc.co.uk/adfs/services/trust</Issuer>
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
					<ds:Reference URI="#_dxxxxxxxxxxx">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
							<ds:DigestValue>xxxxxxxxxx=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>xxxxxxxxxxxxx</ds:SignatureValue>
				<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
					<ds:X509Data>
						<ds:X509Certificate>xxxxxxxxxxxxxxxxxx==</ds:X509Certificate>
					</ds:X509Data>
				</KeyInfo>
			</ds:Signature>
			<Subject>
				<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" 
					NameQualifier="http://ccc.ccc.co.uk/adfs/services/trust" 
					SPNameQualifier="http://xxx.xxx.com/shibboleth">
					xxxxxxxxxxxx=
				</NameID>
				<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
					<SubjectConfirmationData InResponseTo="_1xxxxxxxxxxx" NotOnOrAfter="2015-02-19T10:16:05.407Z" 
						Recipient="https://sp.cobweb.secure-dimensions.de/Shibboleth.sso/SAML2/Artifact" />
				</SubjectConfirmation>
			</Subject>
			<Conditions NotBefore="2015-02-19T10:11:05.188Z" NotOnOrAfter="2015-02-19T18:11:05.188Z">
				<AudienceRestriction>
					<Audience>
						https://xxx.xxx.com/shibboleth
					</Audience>
				</AudienceRestriction>
			</Conditions>
			<AuthnStatement AuthnInstant="2015-02-19T10:11:03.766Z" SessionIndex="_dxxxxxxxxxx">
				<AuthnContext>
					<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
				</AuthnContext>
			</AuthnStatement>
		</Assertion>
</samlp:Response>

I have the response as a basic one with just the NameID and no attributes at the moment as I get the same error message regardless of whether they are there or not. Thanks,

Fran

1
saml-2.0adfsshibboleth

1 Answers

-1
votes

Use Firefox and add the "SAML Tracer" add-on.

Then have a look at the SAML messages and see if there is anything obvious.

Or post them here (obfuscate any identifying stuff first).