saml with an ADFS idp. rutime error, the sp non-signed metadata was imported without problems in adfs idp but i'm facing a problem at run time:
after idp authentication, on succesfull authentication, on the idp page i got a trust error like this:
The request specified an Assertion Consumer Service URL
'https://test.it/au/login' that is not configured on the relying party 'microsoft:identityserver:test.it'.
Assertion Consumer Service URL: https://test.it/au/login Relying party: microsoft:identityserver:test.it
that is a prefix match of the AssertionConsumerService URL 'https://test.it/au/login' specified by the request.
This request failed.
MY SP METADATA are like this:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="test.it" entityID="test.it">
<md:SPSSODescriptor AuthnRequestsSigned="false"
WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://test.it:443/au/login" index="0" isDefault="true"/>
I may add: if i start auth process from /adfs/ls/idpinitiatedsignon.htm and i choose my sp provider (so i excluded problems on the saml2p:AuthnRequest) a got a post redirect to https://test.it/au/lo gin" I wonder how is that my endpoint on idp has blanck spaces on it.
I found this article that seems to explain http://social.technet.microsoft.com/wiki/contents/articles/4039.ad-fs-2-0-the-request-specified-an-assertion-consumer-service-url-that-is-not-configured-on-the-relying-party.aspx in short it says:
There are two options:
Configure the RP so that AssertionConsumerService is not specified in the AuthnRequest
Configure the RP to send a AssertionConsumerService value in the AuthnRequest which matches the AssertionConsumerService value on the Endpoints tab of the RP Trust in AD FS 2.0.
what do you think
if i generate metadata with entityID="https://test.it:443/au/login" instead of entityID="test.it" could avoid this security issue ?
or should i remove the AssertionConsumerService in saml:request (is it possible by configuration)?
or should idp manager do better configuration?
Not sure if it's the same issue you're facing, but on my end with the same error, the problem was that I hadn't added my assertion endpoint on my service provider as a SAML Assertion Consumer Endpoint in AD FS on the identity provider.
Worth a shot, anyway :) In mmc
on the IdP, add the AD FS snap-in. Then find your SP config under AD FS
> Relying Party Trusts
. Mine is called Test SSO
. Right-click it, choose Properties
, then on the Endpoints
tab, check that your service provider assertion endpoint URL is listed under SAML Assertion Consumer Endpoints
.
My working configuration was
Endpoint type: SAML Assertion Consumer
Binding: POST
Default: Yes
Index: 0
Trusted URL: https://1337.local/adfs/ls
And Trusted URL
was my assertion endpoint on the SP, i.e. where ADFS posts the SAML payload once authenticated.