ADFS (Windows Server 2019) SAML Artifact Resolution Response Message Not Properly Signed RRS feed

  • Question

  • I'm trying to integrate ADFS with our Service Provider (SP).  I've enabled the Artifact Resolution (SOAP) mechanism in ADFS and ADFS does response to an ArtifactRequest message with an ArtifactResponse message, but the ArtifactResponse is missing a ds:Signature element (signature on the ArtifactResponse).  It does include a signature inside the Response, but the SAML protocol specification (e.g. http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.2.SP-Initiated%20SSO:%20%20Redirect/POST%20Bindings|outline) says that the ArtifactResponse should look like:


    <samlp:ArtifactResponsexmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="identifier_3"




       <!-- an ArtifactResponse message SHOULD be signed -->




       <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>

       <samlp:Responsexmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ... > ...</samlp:Response>


    The response from ADFS is missing the ds:Signature element here. Consequently, the SAML library in our SP is rejecting the ArtifactResponse as "unauthenticated".

    Is there some setting in ADFS required to provide the required signature?  I haven't been able to find one.


    • Moved by Dave PatrickMVP Thursday, September 3, 2020 8:12 PM looking for forum
    Thursday, September 3, 2020 7:23 PM


  • I'd try asking for help over here.




    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Dave PatrickMVP Saturday, September 5, 2020 1:42 PM
    • Marked as answer by Guido Franzke Thursday, September 10, 2020 12:38 PM
    Thursday, September 3, 2020 8:12 PM