Custom STS & Azure ACS error ACS50008: Invalid SAML token

4
votes

I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.

  • Error Code ACS20001: An error occurred while processing a WS-Federation sign-in response.
  • Error Code ACS50008: SAML token is invalid.

I have searched through the forums but in my case I dont get any more detail on the error and do not know how to proceed and fix this.

My STS is currently on beta and can be reached here: metadata .

If anyone has any suggestions or wants to give it a try please contact me via email and I will open a demo login on my custom provider.

note: The case is different than similar question found here since my inner exception details do not suggest any reason.

UPDATE: check the discussion in this thread for some additional informaton and the payloads I extracted from fiddler.

Thanks in advance,

Constantinos

2
azurefederated-identityacs
I can take a look, send me an email. I'll post an answer if I can figure out what's wrong.Andrew Lavers

2 Answers

3
votes

I finally figured this out with the help of ms support on Azure.

It seems that the "ACS50008: SAML token is invalid" error is quite generic and usually there is more information in an inner exception that does not end up on the error screen. Why this happens is still a mystery for me.

So for anyone that happens to be in my position I nailed two possible reasons for this to happen.

  1. Reason: the time of the client mismatches the time of ACS, namely NotBefore below is a time in future when looked by ACS. Action: <saml:Conditions NotBefore="...." NotOnOrAfter="...."> If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour.
  2. Reason: a hidden inner exception that can be seen only with the help of ms support using your error's trackingId.

Microsoft.Cloud.AccessControl.Common.Diagnostics.SignInException : ACS20001: An error occurred while processing a WS-Federation sign-in response.Microsoft.Cloud.AccessControl.Common.Diagnostics.ServiceException : ACS50008: SAML token is invalid.Microsoft.IdentityModel.SecurityTokenService.IssuerNameNotSupportedException : Principal with name 'https://login.mydomain.com/' is not a known principal.

In my case the principal name should not contain the forward slash at the end. We changed it from https://login.mydomain.com/ to https://login.mydomain.com and the error went away!

1
votes

You can always create a support case with Microsoft and have them help figure it out: https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn