locked
ADFS SAML error RRS feed

  • Question

  • Hi everybody,

    A question. I’m quite new to ADFS and claim based authentication. But I did do some troubleshooting this morning.

    We have Sharepoint on ADFS and another linux application Cloud foundry.

    This uses a webpage with our AD as identity provider to use SSO and everything worked fine until yesterday.

    On our site there was no change so I browsed all the settings of the relaying party which uses SHA1 and it’s configured for SHA1. This al looks fine.

    In the ADFS event log I get this events:

    On the webpage I see this error:

    Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null

    In the eventlog I see this message:

    Protocol Name:

    Saml

    Relying Party:

    http://login.cf.nl

    Exception details:

    System.FormatException: Index (zero based) must be greater than or equal to zero and less than the size of the argument list.

    The Federation Service encountered an error while processing the SAML authentication request.

    So my question: I don’t see extra information in the ADFS eventlog. Where can I troubleshoot further so I have an idea what the root cause is?

    Kind regards,

    André

    Wednesday, March 23, 2016 1:07 PM

Answers

  • Hi Pierre,

    Sorry for my late reply.

    It gave us to little info. With a fiddler debug i saw that the signing wasn't fully.

    So we gave Pivotal (vendor) the info and in an upgrade they had their signing set on default.

    Which means ADFS asks for signing and the application doesn't sign.

    When we changed the setting in the application software everything was working.

    Kind regards,

    André

    Wednesday, March 30, 2016 9:35 AM

All replies

  • You can enable extra logs, maybe it will give us more details:

    Open the eventvwr, and enable the debug logs:

    Then locate the ADFS Tracing logs and enable them:

    Repro the problem (note that the logs will not necessary show anything until you stop them).

    Once repro, stop the logs:

    And start the digging :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 23, 2016 3:17 PM
  • Thanks :-). Keep this post up to date
    Thursday, March 24, 2016 6:45 AM
  • Hi Pierre,

    The debug logging, doesn't give me much extra info. What i see on the other side is the following:

    SAML protocol message was not signed, skipping XML
    signature processing

    While I get no certificate errors. It is a SHA1 application who uses SHA1 in the ADFS settings. So that’s ok.

    People online are referring to (when I look in to this). The whole message has to be signed.

    My question, where do we do this in the ADFS settings.

    The error is generated by the service account.

    Kind regards,

    André

    Thursday, March 24, 2016 10:47 AM
  • So it was working and ceased functioning? Or it never worked?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, March 26, 2016 11:17 PM
  • Hi Pierre,

    Sorry for my late reply.

    It gave us to little info. With a fiddler debug i saw that the signing wasn't fully.

    So we gave Pivotal (vendor) the info and in an upgrade they had their signing set on default.

    Which means ADFS asks for signing and the application doesn't sign.

    When we changed the setting in the application software everything was working.

    Kind regards,

    André

    Wednesday, March 30, 2016 9:35 AM
  • Thank you for letting us know!

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 30, 2016 2:08 PM