none
The multi-factor authentication is triggered for relaying party request on AD FS 3.0 for every 15 minutes RRS feed

  • Question

  • We have custom AD FS Adapter for multifactor authentication, one of our customers has issue with multi-factor authentication, the authentication request is triggered for every 15mins. But this behavior is inconsistent.

    Note: Customer has configured more than 30 relying parties with multiple authentication protocol (SAML,wsfed and OAuth 2.0).

    In the AD FS event logs we can see the below error:

    Event ID- 364 : Encountered error during federation passive request.

    Additional Data

    Protocol Name:

    wsfed

     

    Relying Party:  

    Exception details:

    Microsoft.IdentityServer.RequestFailedException: MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.

       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.ProcessErrorRequest(ErrorContext context)

       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)

       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)

     at microsoft.identityserver.web.passiveprotocollistener.ongetcontext(wrappedhttplistenercontext context)

    1. Event ID- 303 : The Federation Service encountered an error while processing the SAML authentication request.

    Additional Data
    Exception details:
    Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
        (
        IsReadOnly = False,
        Count = 1,
        Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
        )
    '. Ensure that the SecurityTokenResolver is populated with the required key.
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
       at System.Xml.XmlReader.ReadEndElement()
       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)
       at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, String sessionState, String logoutState, Boolean partialLogout, Boolean isUrlTranslationNeeded, HttpSamlMessage& newLogoutMessage, String& newSessionState, String& newLogoutState, Boolean& validLogoutRequest)

    Event ID – 362: Encountered error during federation passive sign-out.

    Additional Data

    Exception details:

    Microsoft.IdentityServer.RequestFailedException: MSIS7054: The SAML logout did not complete properly.

       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSamlLogoutResponse(SamlContext samlContext, Boolean partialLogout, Boolean& logoutComplete)

       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)

     

    Event ID- 327: An error occurred during processing of the SAML logout request.

     

    Additional Data

    Caller identity: urn:samlprod:hpp:beaconhcs

    Logout initiator identity: http://<hostname>/adfs/services/trust

    Error message: MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties.

    Exception details: 

    User Action

    Ensure that the single logout service is configured properly for this relying party trust or claims provider trust in the AD FS configuration database.

    Please suggest any solution/workaround.
    • Edited by LokanadhamR Tuesday, October 15, 2019 6:51 AM
    Tuesday, October 15, 2019 6:38 AM

All replies

  • By defaut ADFS issues a token valid for 1 hour.

    This token is sent to the application and the application usually issue a cookie (aka bootstrap cookie) to the user agent to avoid going back to the ADFS server for (at least) an hour.

    If the user is redirected to ADFS after less than 60 minutes, something in the application is triggering this. The logs shows a logout attempts. Is the user clicking on a link here or is the user redirected after an inactivity timeout?

    If you could take a fiddler trace when this happening that would be ideal to help you out (you could let it run until the problem shows...)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, October 17, 2019 1:12 AM
    Owner
  • Thanks Pierre Audonnet, customer is not ready to share the fiddler trace. Please suggest any other option for this.
    Friday, October 18, 2019 7:19 AM
  • Well, a Fiddler trace can be "sanitized": URL renamed, password removed etc... If that's the concern.

    I understand they might be reluctant to share on a public platform though. I would recommend to open a case with either the application vendor or with Microsoft. That's basically the only options when we can't access the actual data in a public space.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, October 18, 2019 1:50 PM
    Owner