ADFS login gives error Microsoft.IdentityServer.Web.UnsupportedSamlRequestException

0
votes

I am trying to connect gitlab to ADFS for single sign on(SSO).in gitlab config i have these values defined.

assertion_consumer_service_url:'https://myhost/users/auth/saml/callback',
 idp_cert_fingerprint: '',
 idp_sso_target_url: 'https://myadfshost/adfs/ls',
 issuer: 'https://myhost',

I added a relying party trust in ADFS. and added an user to AD for authnetication . when i go to https://mygitlabhost. i get the ADFS Page with the login option. after entering the user password i get redirected to the gitlab login page with this error:

Could not authenticate you from SAML because "The status code of the response was not success, was responder".

When i check the event log of ADFS i get this error:

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party:

https://mygitlabhost 

Exception details: 
Microsoft.IdentityServer.Web.UnsupportedSamlRequestException: MSIS7076: The configured passive endpoint 'https://win-i52r11kn5sa.rohit.local/adfs/ls/' is not a prefix of the incoming SAML message Destination URI 'https://myadfshost/adfs/ls'.
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateIncomingSamlMessage(SamlMessage samlMessage)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Could this be because of misconfigured ssl certificates? if not the wat could be the issue?

1
single-sign-onadfswindows-server-2012-r2adfs3.0

1 Answers

1
votes

This could be because of metadata or configuration.

Did you send the ADFS metadata URL to the SAML side?

The SAML side is configured to send to https://myadfshost/adfs/ls.

The configured ADFS endpoint is https://win-i52r11kn5sa.rohit.local/adfs/ls/.

So the SAML side should be sending to https://win-i52r11kn5sa.rohit.local/adfs/ls.