ADFS to LLDAP SSO error RRS feed

  • Question

  • Hello, 

    I have a Windows Server 2016 domain (domain A) with Windows Server 2016 domain/forest functional level and ADFS 4.0 deployed. I also have an LemonLDAP (LDAP v3 compliant) domain (domain B) installation with various Web applications running in it. I need to enable SSO for these web applications. The scenario is that when users log on with their domain A credentials, they should be able to SSO to the domain B Web applications.

    I have followed instructions from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories  in order to create a federation trust from domain A to domain B. Also on the LLDAP side I have registered ADFS as a SAML IDP and enabled SAML v2 for authentication.

    I have run the following command for the creation of adfs local claims trust: 

    Add-AdfsLocalClaimsProviderTrust –Name "LLDAPStore" -Identifier "urn:LLDAP" -Type Ldap -LdapServerConnection @($idStoreInstance1) -UserObjectClass inetorgperson -UserContainer "dc=domain,dc=com" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute userPrincipalName -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($mappingGivenName, $mappingSurname, $mappingDisplayName, $mappingCommonName, $mappingUid) -Enabled $true -AcceptanceTransformRules "@RuleName = `"Issue All Mapped Claims`"`nc:[] => issue(claim = c);"

    When I navigate to the Web Application URL and choose to authenticate via SAML, I am redirected to the ADFS https://adfs.domain.com/adfs/ls page with "an error occured" message. 

    This is a accompanied by ADFS server event log message Event ID 364, with details: 


    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 

    Relying Party: 

    Exception details: 
    System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
       at System.Xml.XmlReader.ReadEndElement()
       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadRequestedAuthnContext(XmlReader reader)
       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
       at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
       at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
       at Microsoft.IdentityServer.Protocols.Saml.HttpPostSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
       at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    Have you seen this error before? It looks like the SAML request is malformed. Any ideas/suggestions on the above?

    Stefanos Evangelou

    Friday, October 13, 2017 8:01 AM

All replies

  • Hello, 

    The SAML trace I took from the communication between ADFS v4 server and the relying party trust (LemonLDAP server) shows that the SAML request (v2) is sent to the ADFS server and then the error Event ID 364 is thrown in the ADFS application server. I validated the SAML XML using online validator and the result was that the XML was invalid (not according to SAML v2 spec). The validation i performed using the https://www.samltool.com/validate_authn_req.php tool showed the following result:

    The SAML AuthN Request is invalid.

    Invalid SAML AuthN Request. Not match the saml-schema-protocol-2.0.xsd

    I have seen in other forum posts that there is a very similar (if not identical) issue with previous versions of ADFS v.2 and v.3) in which the ADFS server cannot correctly interpret the incoming SAML request from the requesting relying party trust. These are known issues and there are hotfixes for Windows Server 2008 R2 and 2012 R2 which fix the issues. 

    • https://social.msdn.microsoft.com/Forums/vstudio/en-US/7f8bd525-1903-4681-8101-30aaf5887767/adfs-20-and-shibboleth-integration?forum=Geneva
    • https://support.microsoft.com/en-us/help/2503351/ad-fs-2-0-does-not-parse-non-string-xml-attribute-values-in-saml-2-0-a
    • https://support.microsoft.com/en-ca/help/3033917/ad-fs-cannot-process-saml-response-in-windows-server-2012-r2

    Has this been resolved in Windows Server 2016 and ADFS 4.0? There is a list of required updates for ADFS: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/updates-for-active-directory-federation-services-ad-fs . I cannot find any similar fix for SAML. 

    Any ideas?

    Stefanos Evangelou

    Monday, October 16, 2017 11:26 AM