4
votes

Hi I am trying to use SSO to authenticate my client's users directly to my website. My client's IDP is Microsoft ADFS and I am using Passport-SAML (https://github.com/bergie/passport-saml) to configure the SSO process.

After getting to a special URL I give my client (example: www.myClient.myCompany.com ), the user (unauthenticated) is as expected redirected to the client login page. After he enters his credential, he remains stuck in login page BUT the SSO work because the user is authenticated meaning that if he opens a new tab and go to www.myClient.myCompany.com, he will be redirected to my website.

Here the error in ADFS Server Log:

The Federation Service encountered an error while processing the SAML authentication request. 

Additional Data 
Exception details: 
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0038: SAML Message has wrong signature. Issuer: 'www.myCompany.co'.
   at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

MSIS0038 Error - Event ID 303

Thank for your time!

3

3 Answers

0
votes

I'm not familiar with Microsoft ADFS nor Passport-SAML, but I when we had signature errors was because the SHA1 fingerpring of the IDp certificate didn't match the one at our end.

We fixed them by making sure the certificate is correctly formatted and then calculating the fingerpring.

Format: https://developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate Fingerprint: https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint

Hopefully this is your case

0
votes

Not a Passport-SAML guru but the normal causes of this error with ADFS are:

  • A signing mismatch - ADFS expects the AuthRequest to be signed and it isn't or vice versa.

  • The signing certificate installed in this RP has expired or is the wrong one in the sense that it is not the certificate the client is using.

At the RP level, look at:

Get-ADFSRelyingPartyTrust

[-SignedSamlRequestsRequired ] [-SamlResponseSignature ]

or globally:

Get-ADFSProperties

SignedSamlRequestsRequired
SignSamlAuthnRequests

and check:

Get-AdfsCertificate -CertificateType "Token-Signing"

0
votes

(following up from ADFS and PingFederate SSO : SAML Message has wrong signature)

We're using a different library and it was a different issue for us (our customer actually had the wrong signature), but during the process of trying to debug, I happened upon this thread that sounds very similar to what you're describing.

The fix is to install this hotfix. Can you check if your customer is on Windows Server 2008 and 2012, has 2843638 or 2843639 installed, and if so, install the hotfix if they haven't already? Just a shot in the dark...