stackoom
  简体   繁体   中英

Why signature need in SAML request for ADFS?

 原文  2015-12-02 10:09:32       request/ saml/ saml-2.0/ sign/ adfs2.0

Question

Following is the SAML request send to ADFS 

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_84e533b7-4310-41de-8ec7-0af7afeb7979" Version="2.0" IssueInstant="2015-12-02T09:44:30Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://XXXX.YYYY.ZZZZ/adfs/ls/" AssertionConsumerServiceURL="http://PPP.QQQ.RRR/SPDemo/Consume.aspx">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://XXXX.YYYY.ZZZZ/adfs/services/trust</saml:Issuer>
</samlp:AuthnRequest>

After compressing and converting to Base64String it is redirected to ADFS. URL shown below with SAML request

https://XXXX.YYYY.ZZZZ/adfs/ls/?SAMLRequest=hZHNbsIwEIRfJfLdsfODAhZEouVQJKpGJO2hl8okS7Ga2KnXoTx%2bA0kluNCjrflmZ3bnKJu6FcvOHfQWvjtA561XC%2fIxjWESRbuExlHAaRxUQKdQJpTLfSL3sEtmyYx4b2BRGb0goc%2bJt0bsYK3RSe36Lx5MaBBSHhZ8JuJYRPydeJk1zpSmflC6UvpzQTqrhZGoUGjZAApXinz5vBG9o9gNIhRPRZHR7CUviLfqIyot3WXswbkWBWMaj%2fQn%2fAo5n9rQr6zqNX5tSlkzWe2R1ciIt0QEe%2bYejcauAZuDPaoSXrebwak3GtAjba2pgujWKc9W0Bg20r7E9kS8U1NrFJct3u%2fSjsVJOj%2brxWVZ9oq%2fj8u%2f8CQdo%2f7XGYd2yJzt0M3Z1dR0eN3ePf0F

But I am getting following error 在此处输入图片说明

Checking for detail error in Event Viewer I got 在此处输入图片说明

It seems that the server required the signed SAML request but I haven't mentioned anywhere that signed SAML request is required. Also SignedSamlRequestsRequired property is set to false 在此处输入图片说明

So, Why ADFS 2.0 is asking for signed SAML request ?

Is there anything that is needed to be done so that signed SAML request is not required or if required what will be the value of signature that will signed the SAML request?

1 answers

solution1
 1 ACCPTED  2015-12-03 05:53:27

I am able to solved it.

The problem was with wrong setting of issuer in SAML request.

After setting the appropriate issuer,ie http://PPP.QQQ.RRR/SPDemo , as shown in following SAML Request I am able to do SP-Initiated login without any ADFS error 

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_bd613bda-e506-4747-91c7-96a4d75c67fc" Version="2.0" IssueInstant="2015-12-03T05:51:52Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://XXXX.YYYY.ZZZZ/adfs/ls/" AssertionConsumerServiceURL="https://PPP.QQQ.RRR/SPDemo//Consume.aspx">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://PPP.QQQ.RRR/SPDemo</saml:Issuer>
</samlp:AuthnRequest>

Previously used wrong issuer was http://XXXX.YYYY.ZZZZ/adfs/services/trust

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Does ADFS 3.0 honor the Subject attribute sent in SAML Request? Saml Authentication Request Protocol Id Why does Sinatra need to rewind the request body? Why need to set limit with http request header? Where is the saml authentication request is getting generated in Spring Security Saml Sample How to make a simple SAML request with PHP? Why do we need specific classes to work with Request and Response? WSO2 IS 4.6.0: Composition of Signed SAML Authentication Request Validate signature-message before request-body validation in Connexion request canceled - what is it and why?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM