使用Microsoft ADFS的Spring Security SAML身份验证失败

Question

We are trying to use Spring Security to connect to a Microsoft ADFS server. We set up the Spring SAML sample application, as described in Spring security documentation, but we get the following errors on the ADFS server.

Exception details: 
    Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureVerificationException: MSIS7075: SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations.
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

And then:

The verification of the SAML message signature failed. 
Message issuer: http://adfs.xxxx.yyyy.com/adfs/services/trust 
Exception details: 
MSIS7075: SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations. 

This request failed. 

User Action 
Verify that the message issuer configuration in the AD FS configuration database is up to date. 
Configure the signing certificate for the specified issuer. 
Verify that the issuer's certificate is up to date. 
Verify the issuer and server message signing requirements.

We already applied the above suggestions. There is no error message in the Spring security logs.

Answer 1

The SAML specs ( 4.1.4.1 Usage ) say:

Note that the service provider MAY include a element in the request that names the actual identity about which it wishes to receive an assertion. This element MUST NOT contain any elements. If the identity provider does not recognize the principal as that identity, then it MUST respond with a message containing an error status and no assertions.

Looks like the module may be violating that spec. Check and see if there is an option to avoid sending SubjectConfirmation elements to the IDP.