1
votes

I am trying to implement SSO for a service and using ADFS and PingFederate as IDP.

SSO works when I avoid signing the AuthRequest (both with ADFS and PingFederate), but fails with following error "SAML Message has wrong signature. Issuer: 'My SP entityID' " when AuthRequest is signed.

I had updated corresponding Relying trust part with certificate of my SP. I think, i am doing something wrong in the IDP configuration. Any help is appreciated.

I had tried this answer without any luck: MSIS0038: SAML Message has wrong signature - ADFS error

1
What SigAlg are you using in ADFS? It's been a while but I thought ADFS uses SHA256, which PF will support but you'll need to install the Unlimited Strength Java JCE Policy files.Ian
On ADFS I had configured it to be SAH1. ( I am referring to Certificates under ADFS -> Service -> Certificates -> Token-decrypt | Token-Signing ).user2586432

1 Answers

3
votes

This error on ADFS is received when the AuthnRequest is signed but the SP's certificate configured is incorrect. Make sure that you have provided the correct certificate, go to Relying Party Properties > Signature tab. You should see the certificate provided by you. Verify the thumbprint to be sure.

Also, if you are sending the SAMLRequest as a query parameter (HTTP-Redirect binding), make sure you are using the SHA1 certificate for signing the AuthnRequest. Signing using the SHA256 certificate is not supported in HTTP-Redirect binding by ADFS.