Symptoms



  • AD FS 2.0 is the Relying Party (RP)
  • An error occurs while consuming a security token from a trusted Claims Provider (CP)
  • The AD FS 2.0 Tracing/Debug log shows an event similar to the following:


Log Name:      AD FS 2.0 Tracing/Debug

Source:        AD FS 2.0 Tracing

Date:          4/8/2011 8:48:24 AM

Event ID:      47

Task Category: None

Level:         Error

Keywords:      ADFSSamlProtocol

User:          NETWORK SERVICE

Computer:      <DNS-Name>

Description:

Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolException: MSIS1022: Cannot process SAML Response from ''.

Inner exception: ID6008: Cannot resolve the '' URI in the signature to compute the digest.

   at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)

   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()

   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.CreateSubject(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)

   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()

   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.GetEffectivePrincipal(SecurityTokenElement securityTokenElement)

   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)

   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)


Cause



  • The Claims Provider is signing either the protocol message, the assertion, or

    both, and they are not providing an appropriate Reference URI value within the

    Signature section(s).


Resolution

  • The Claims Provider has the option of digitally signing the protocol message, the assertion, or both
  • The SAML Response is required to have an ID property
  • The SAML Assertion is required to have an ID property
  • If the SAML Response is signed, its Signature portion must have a Reference URI value which equals the SAML Response ID value
  • If the SAML Assertion is signed, its Signature portion must have a Reference URI value which equals the SAML Assertion ID value
  • The Claims Provider must make changes on their side in order to enable the Reference URI to be populated with an appropriate value


More Information



Snippet of appropriate signed SAML Response:



<Response

IssueInstant="2011-04-04T00:46:02Z" Version="2.0"

ID="_c7055387-af61-4fce-8b98-e2927324b306"

xmlns="urn:oasis:names:tc:SAML:2.0:protocol"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

<saml:Issuer>https://www.contoso.com/IDP"</saml:Issuer>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod

Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod

Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI="#_c7055387-af61-4fce-8b98-e2927324b306">

<ds:Transforms>

....





Snippet of appropriate signed SAML Assertion:



<Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"

IssueInstant="2011-04-04T00:46:02Z" Version="2.0"

xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

<Issuer>https://www.contoso.com/IDP</Issuer>

<ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod

Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod

Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">

....