Using OneLogin to acces a ADFS IDP

0
votes

I am trying to use the onelogin php toolkit for SAML to access a ADFS IDP on a different domain. ADFS just displays a screen with the following

Error details
Activity ID: 00000000-0000-0000-f980-0080000400cd
Error time: Thu, 24 Aug 2017 13:48:15 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063

I believe this to be an access control problem as when I compare what gets sent to the onelogin demo and ADFS the only difference is that the Cookie information is not sent. Is this access control and what is the fix?

2
phpsamladfsonelogin
Get the adfs event log entry from this time. Else you are just guessing. - maweeras

2 Answers

0
votes

You will need to ask the ADFS admin about the error related with that trace ID.

At php-saml try to not set any RequestAuthnContext value and verify that the NameIdFormat that you are using is supported by ADFS.

Is a configuration issue, ADFS and php-saml settings need to be aligned.

If you install firefox's SAMLTracer extension you will be able to record the AuthNRequest that you are sending.

0
votes

The issue was a misconfiguration issue the saml:Issuer defineed in the SAML request was not exactly matched in ADFS (there was one upercase letter in the request but it was a lower case letter on the ADFS Identifiers tab)