locked
Unable to setup SAML 2.0 with ADFS RRS feed

  • Question

  • I have configured a virtual windows server 2019 machine with ADFS. 
    I've tried setting up the relying party trust metadata URL, but I'm getting the following error: 

    "An error occurred during an attempt to read the federation metadata.Verify that the specified URL or host name is a valid metadata endpoint."

    I've read about this error, and heard that it is a bug on ADFS and the solution would be to set it via powershell. Tried that but still unable. 

    Then, I've tried to setup the data manually. 

    Since these are temporary tests envs, I'll share the apps metadata here: https://saml-test2.matrixlms.com/saml_sso/metadata

    I've went to ADFS, exported the token-signing certificate, and configured the IDP data in the app. 

    Now, I'm getting this error after trying to login a user: 

    Activity ID: 25d5e471-f51f-4e9b-f600-0080000000fc
    Relying party: SAML-2
    Error details: MSIS0037: No signature verification certificate found for issuer 'https://saml-test2.matrixlms.com/saml_sso/metadata'.
    Node name: 507d04df-6395-454c-8bf3-3cd1b59a9a1c
    Error time: Tue, 03 Mar 2020 13:58:30 GMT


    I've tried various things, from changing the certificate, disabling "SignedSamlReqestRequired", etc. 

    I've also tried adding the certificate from the app into relying party encryption area. 

    The app is using a the ruby onelogin https://github.com/onelogin/ruby-saml 

    I've crawled the web for days for possible solving, tried like everything. 

    Does anyone know what could be the issue based on the metadata provided above? 

    Thanks!


    Tuesday, March 3, 2020 2:05 PM

All replies

  • Access the metadata URL in a browser and save as file.

    Then add the RP using the metadata file option and import the file into ADFS.

    Tuesday, March 3, 2020 8:50 PM
  • Hi, 

    I have already tried that. I've tried importing it via Gui and receiving the same error. 

    I've also tried importing it via powershel and received the signature error. 

    Wednesday, March 4, 2020 8:56 AM
  • Importing from the network with the GUI will fail if you have not enabled Strong Crypto for .Net as it seems that TLS 1.0 is disabled on the target.

    Once you have enabled it, it still fails but with a different error message stating that the signature doesn't check.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.



    Wednesday, March 4, 2020 6:09 PM
  • Hi Pierre, 

    Yes, that is correct, TLS 1.0 is disabled on the target. 

    And yes, I'm receiving the signature verification failed when trying to import it.

    I've set the relying party trust manually, but keep getting that signature verification failed when trying to login. 

    I've exported the token-signing certificate, and set it into the app. 

    I've extracted the certificate used by the app (from the metadata) and set it into RPT in the "Ecryption" tab.

     When I try to login via the app, I'm getting the "MSIS0037: No signature verification certificate found for issuer". 

    If I'm going to /adfs/ls/idpinitiatedsignon.aspx, then select "Sign in to one of the following sites", and I select the targeted app, I get the following error: ": ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key."

    Cheers,
    Gabriel

    Thursday, March 5, 2020 9:00 AM