ADFS idpinitiatedsignon SAML assertion not signed

0
votes

I am trying to extract SAMLResponse assertion via https://<adfs_domain>/adfs/ls/idpinitiatedsignon using a webview. The problem is that the SAMLResponse assertion is not signed and the signature is not included inside the assertion.

As a result I cannot validate the SAML assertion. We have configured ADFS with an ADFS signing cert since it is an IDP initiated flow.

Also we set the following property in ADFS: SamlResponseSignature = AssertionOnly

<samlp:Response ID="_255ada50-94a5-493a-9234-0e9801f0a994" Version="2.0" IssueInstant="2020-03-09T13:27:11.297Z" Destination="https://mobile_app/login" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" 
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs_domain/adfs/services/trust</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <Assertion ID="_0d711b58-e28a-4315-976d-5a4ec6abb3ab" IssueInstant="2020-03-09T13:27:11.297Z" Version="2.0" 
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>http://adfs_domain/adfs/services/trust</Issuer>
    <Subject>
      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData NotOnOrAfter="2020-03-09T13:32:11.297Z" Recipient="https://mobile_app/login" />
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2020-03-09T13:27:11.297Z" NotOnOrAfter="2020-03-09T14:27:11.297Z">
      <AudienceRestriction>
        <Audience>https://doamin/mobile/platform/sso/exchange-token</Audience>
      </AudienceRestriction>
    </Conditions>
    <AttributeStatement>
      <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
        <AttributeValue>[email protected]</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
        <AttributeValue>[email protected]</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
        <AttributeValue>Domain Users</AttributeValue>
      </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="2020-03-09T13:27:11.155Z" SessionIndex="_0d711b58-e28a-4315-976d-5a4ec6abb3ab">
      <AuthnContext>
        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>
1
active-directoryadfsadfs3.0
Hi @KALALEX, did you get the solution for it? in my case the request is signed but the assertion is not !Bhushan Karmarkar

1 Answers

1
votes

I highly doubt you are getting an unsigned assertion. You should be always getting a token signed using the AD FS server's token signing cert regardless of whether you provide a certificate to allow AD FS validate any signed requests your app sends to AD FS.

You should see details of the cert in the federation metadata published at https://adfs_fqdn/federationmetadata/2007-06/federationmetadata.xml. You can use https://adfshelp.microsoft.com/MetadataExplorer/ShowFederationMetadata for easier viewing of the details published.

You can test what the payload returned by AD FS is like by using something like https://adfshelp.microsoft.com/ClaimsXray/TokenRequest. You can then send a SAML logon which will use the idp initiated flow and you will see the raw payload returned by AD FS. You can then toggle the SamlResponseSignature as you see fit and see the tokens returned.