locked
SP initiated SAML session not working externally RRS feed

  • Question

  • Hi all

    We utilise a cloud service called Robin Powered for which we have configured ADFS (3.0) to perform SAML2 authentication.

    Internally the service works fine for both SP and Idp initiated sessions however when trying to perform an SP initiated session from external to our network it appears to be failing.

    When I go to the SAML URL on the cloud provider (to trigger the SP initiated session) I can see the browser being redirected to the ADFS signon page momentarily (where i'd expect it to prompt me for credentials) however instead I just get sent back to an error page on the cloud service (which has no helpful info as to the issue).
    The ADFS server is logging the following error message:

     

    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 
    Saml 

    Relying Party: 
    https://robinpowered.com 

    Exception details: 
    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
       at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    Performing an Idp initiated session to this cloud service works fine from external.

    I've ready a lot of articles stating that I need to enable Forms Authentication on the "Intranet" auth policy however this doesnt help me from an external perspective.

    Our ADFS environment is set up with split DNS so regardless as to whether you are internal or external to the network you get sent to the same adfs.domain.com environment. ADFS proxies are in place to accept the connection for external connections.

    We have other cloud services configured on the same ADFS environment which work fine externally for both Idp and SP initiated sessions. Does anyone know how to resolve this or what the cause is?

    Cheers
    Brady

    Wednesday, November 16, 2016 3:35 AM

Answers

  • It seems like the Authentication Method is not supported on the STS/ADFS.

    As Pierre says, that would be something to verify.
    I also want to add the option to use SAML-tracer in Firefox and take a look on the SAML-ticket, check AuthnRequest, that might give you some hints.

    • Marked as answer by Kenman87 Friday, November 18, 2016 12:39 PM
    Wednesday, November 16, 2016 10:07 PM

All replies

  • Do you happen to know what is the method you are asking?

    You can see it in a fiddler trace (sometimes just looking at the URL), or in the audit logs of the ADFS server of you enable the audit both on ADFS and on the OS for the Success Audit Object Access Application generated.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, November 16, 2016 4:15 PM
  • It seems like the Authentication Method is not supported on the STS/ADFS.

    As Pierre says, that would be something to verify.
    I also want to add the option to use SAML-tracer in Firefox and take a look on the SAML-ticket, check AuthnRequest, that might give you some hints.

    • Marked as answer by Kenman87 Friday, November 18, 2016 12:39 PM
    Wednesday, November 16, 2016 10:07 PM
  • Hi guys

    Thanks for your suggestions.

    Jorrk, as mentioned it looks like the SP was forcing us to use a certain type of auth in the token:

    <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:federation:authentication:windows</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>

    Obviously Windows auth isn't going to work outside of our network so I went onto Robin and configured them to allow form auth which has fixed the issue.

    Thanks!!

    Friday, November 18, 2016 12:39 PM
  • Thanks for letting us know!

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 18, 2016 6:44 PM