locked
Issue authenticating SAML token RRS feed

  • Question

  • Hi all - 

    I'm trying to pass a SAML token into ADFS for authentication. It's decrypting successfully, but then I get the very generic error below:

    1) Exception: 'Element' is an invalid XmlNodeType.

    StackTrace:    at System.Xml.XmlReader.ReadEndElement()

       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerial1)izer.ReadAuthnRequest(XmlReader reader)

    2) Passive pipeline error

     

    This is with AD FS 3.0 and SAML 2. 

    The saml request was:

    <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="DH7a49776ef7c040d09b2c661821bd5f76" AssertionConsumerServiceURL="https://auth-dev.ServiceProvider.com/clientOrg/SAML/Login" Destination="https://federation.example.net/adfs/ls/IdpInitiatedSignOn.aspx" IssueInstant="2017-04-20T14:49:35.6414575Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml:Issuer>https://auth.ServiceProvider.com/clientOrg</saml:Issuer>

    <samlp:NameIDPolicy AllowCreate="true" />

    <samlp:forceAuthn>true</samlp:forceAuthn>

    </samlp:AuthnRequest>

     

    How can I further narrow down and trouble shoot this issue?

    Thursday, April 20, 2017 11:46 PM

Answers

  • It turns out that, 'samlp:forceAuthn' is an attribute, not an element. weirdly enough, that invalid element did work with the company's existing client. Anyway I downloaded all the 4 schema onto my location machine to verify the xml: saml-schema-assertion-2.0.xsd, saml-schema-protocol-2.0.xsd, xenc-schema.xsd, xmldsig-core-schema.xsd and customize their xsd reference to point to the local copies. 

    After removing that invalid element, it works like a charm. 

    Monday, April 24, 2017 3:23 PM

All replies

  • Try changing Destination from "https://federation.example.net/adfs/ls/IdpInitiatedSignOn.aspx" to "https://federation.example.net/adfs/ls/".

    Best regards,
    Bojan

    Friday, April 21, 2017 9:55 AM
  • Tried. It may be one of the problems, but got the same errors. 

    Is there any where we can systematically debug or troubleshoot the AD FS? Otherwise with little documentation and vague error message, it's a pain to resolve the problem. 

    Friday, April 21, 2017 12:41 PM
  • It turns out that, 'samlp:forceAuthn' is an attribute, not an element. weirdly enough, that invalid element did work with the company's existing client. Anyway I downloaded all the 4 schema onto my location machine to verify the xml: saml-schema-assertion-2.0.xsd, saml-schema-protocol-2.0.xsd, xenc-schema.xsd, xmldsig-core-schema.xsd and customize their xsd reference to point to the local copies. 

    After removing that invalid element, it works like a charm. 

    Monday, April 24, 2017 3:23 PM