locked
SAML2.0 configuration for xxxxxx (Production Environment) login authentication. RRS feed

  • Question

  • Hello All,

    I have a request to SAML2.0 configuration for xxxxxx (Production Environment) login authentication.

    Is this request to create a Relying party trust? if yes could anyone provide simple docuementation to complete this,

    I could see test Relying party trust for the same xxxxx ( staging environment) and its succesfully created

    Aamir

    staging environment


    NA

    Monday, December 28, 2015 1:50 PM

Answers

  • If the metadata is correct and complete, these fields should be obtained from the metadata and populated for you.

    The whole point of metadata is that you don't have to manually enter parameters.

    • Marked as answer by Masthanomatic Tuesday, January 5, 2016 6:03 PM
    Tuesday, January 5, 2016 5:48 PM

All replies

  • We might need additional information to help you out. The basic procedure to add a Relying Party trust is described here: https://technet.microsoft.com/en-us/library/dn486828.aspx

    Usually to make it easy, you ask the application team to give you all the info you need (end points, URI etc.) or a XML file containing everything you need and you can give them the XML file that contains everything they need to create the trust in their side, available at this address: https://<URL of your ADFS farm>/FederationMetadata/2007-06/federationmetadata.xml


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, December 29, 2015 10:24 AM
  • Thanks for the reply

    I requested details and i have recieved

    1) Metadata file XML formal attachment,  

    2) Service URL

    3) Endpoint configuration

    4) Configuration attributes for outbound:

    Now please let me know, how to proceed further

    Do i need to download the the metadata file to ADFS server and select the second option when creating RPT

    Thanks


    NA

    Monday, January 4, 2016 8:54 PM
  • Yes - use "Import data about the RP from a file" and browse to metadata file.

    Monday, January 4, 2016 9:54 PM
  • thanks for the reply

    I downloaded the metadata file to C:\Program Files\Active Directory Federation Services 2.0 and and browsed to metadata file from there and completed RP creation, it looks good. Now concerns in my mind

    1) i did not get an option to enter Service URL and Endpoint configuration  . Where do fill this ?

    Thanks

    Aamir


    NA

    Tuesday, January 5, 2016 12:30 PM
  • If the metadata is correct and complete, these fields should be obtained from the metadata and populated for you.

    The whole point of metadata is that you don't have to manually enter parameters.

    • Marked as answer by Masthanomatic Tuesday, January 5, 2016 6:03 PM
    Tuesday, January 5, 2016 5:48 PM
  • Hello team

    Adding to the above query, i configured RP using the metadata provided, however now the user are getting the below error

    An internal error has prevented the authentication from completing successfully. If the problem persists please contact your local support team to report the issue

    what could possibly gone wrong

    Aamir


    NA

    Thursday, January 14, 2016 8:01 PM
  • Any error in the ADFS event log?

    Thursday, January 14, 2016 9:07 PM
  • there a lots of them, how wil i know which one for this, dont know event id as well.


    NA

    Thursday, January 14, 2016 9:21 PM
  • Are you looking at this event log?

    Just send the top 3 or 4 errors.

    Friday, January 15, 2016 1:22 AM
  • 1st

    Encountered error during federation passive request. 

    Additional Data 

    Exception details: 
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SignIn(SecurityToken securityToken)

    System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)

    ==============

    2nd

    ==========

    SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1 

    User Action: 
    Verify that signature algorithm for the partner is configured as expected.

    ====================

    3rd

    --------------

    Encountered error during federation passive request. 

    Additional Data 

    Exception details: 
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SignIn(SecurityToken securityToken)

    System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)

    ----------------

    4th

    ---------------

    SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1 

    User Action: 
    Verify that signature algorithm for the partner is configured as expected.

    Please suggest

    Aamir


    NA

    Friday, January 15, 2016 1:22 PM
  • SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1

    In the Advanced tab of your RP setup, change SHA256 in the dropdown to SHA1.

    Sunday, January 17, 2016 5:57 PM
  • thanks for the suggestion, i changed the SHA to 1 and i still get error mess that i dont have access to that site, so i have asked our clients to check and confirm

    Thanks


    NA

    Monday, January 18, 2016 2:01 PM
  • Hello 

    Now even the users are getting the below error

    Authentication Failed

    An authentication attempted with E2open failed.

    Explanation

    You received this message because your credentials were not approved. This could be because of the following reasons:

    • The entered username does not exist
    • You entered an incorrect password
    • Your account might be temporarily locked out

    Solutions

    • Check the spelling of your username and password
    • Retry your login again later
    • Check with your administrator to ensure that your account is active
    • Contact your administrator to get registered with E2open


    NA

    Please advise
    Monday, January 18, 2016 5:32 PM