locked
ADFS SAML Response Issue RRS feed

  • Question

  • We have farm of federation servers already configuried and working with O365, Wrike.  OS - WS2016, last updates installed.

    Now we're configuring Google SAML SSO with ADFS (article - https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/). But every time receive error - "This account cannot be accessed because the login credentials could not be verified." Tried different claims rules and certificates (self-signed token certificate and commercial), but nothing.

    We discover one strange issue - SAML Response remains the same even we're changing claims rules (or delete it all). But if we apply another cert the corresponding attribute in SAML Respons will be changed.

    Sample is below:

     <samlp:Response ID="_a6ee0b86-0b2e-4231-9302-dba85c8bcf0e"
                    Version="2.0"
                    IssueInstant="2018-08-16T13:18:55.488Z"
                    Destination="https://www.google.com/a/our_domain/acs"
                    Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                    InResponseTo="dodipapeldllbaiplhmafikepkifhdenolmjfbnl"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs_server/adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_a6ee0b86-0b2e-4231-9302-dba85c8bcf0e"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>here_digest</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>here_signature_value==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>here_certificate</ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> </samlp:Status> </samlp:Response>

    What's wrong with SAML Response? Why it doesn't change?

    Thursday, August 16, 2018 4:32 PM

All replies

  • Here is your actuall issue:

    samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> </samlp:Status>

    The SAML status code should be successful, so the Respone you are getting are not "valid" or "correct".

    So please investigate your ocnfiguration first of all and make sure everything is correct.
    The SAML status code should be succesful before you start investigate outgoing attributes.


    Monday, August 20, 2018 9:03 AM
  • Any message on the AD FS/Admins event log? What about the ADFS audit? 

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 23, 2018 12:58 PM