ADFS spring-saml No AssertionConsumerService is configured on the relying party

alessandro77 picture alessandro77 · May 20, 2015 · Viewed 15.7k times · Source

saml with an ADFS idp. rutime error, the sp non-signed metadata was imported without problems in adfs idp but i'm facing a problem at run time:

after idp authentication, on succesfull authentication, on the idp page i got a trust error like this:

The request specified an Assertion Consumer Service URL
'https://test.it/au/login' that is not  configured on the relying party     'microsoft:identityserver:test.it'. 
Assertion Consumer Service URL: https://test.it/au/login  Relying party:     microsoft:identityserver:test.it 
that is a prefix match of the AssertionConsumerService URL     'https://test.it/au/login' specified by the request.
This request failed.     

MY SP METADATA are like this:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"     ID="test.it" entityID="test.it">
<md:SPSSODescriptor AuthnRequestsSigned="false" 
WantAssertionsSigned="false"     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<md:AssertionConsumerService         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
Location="https://test.it:443/au/login" index="0" isDefault="true"/>

I may add: if i start auth process from /adfs/ls/idpinitiatedsignon.htm and i choose my sp provider (so i excluded problems on the saml2p:AuthnRequest) a got a post redirect to https://test.it/au/lo gin" I wonder how is that my endpoint on idp has blanck spaces on it.

I found this article that seems to explain http://social.technet.microsoft.com/wiki/contents/articles/4039.ad-fs-2-0-the-request-specified-an-assertion-consumer-service-url-that-is-not-configured-on-the-relying-party.aspx in short it says:

There are two options:

  1. Configure the RP so that AssertionConsumerService is not specified in the AuthnRequest

  2. Configure the RP to send a AssertionConsumerService value in the AuthnRequest which matches the AssertionConsumerService value on the Endpoints tab of the RP Trust in AD FS 2.0.

what do you think

if i generate metadata with entityID="https://test.it:443/au/login" instead of entityID="test.it" could avoid this security issue ?

or should i remove the AssertionConsumerService in saml:request (is it possible by configuration)?

or should idp manager do better configuration?

Answer

DanielSmedegaardBuus picture DanielSmedegaardBuus · Sep 15, 2015

Not sure if it's the same issue you're facing, but on my end with the same error, the problem was that I hadn't added my assertion endpoint on my service provider as a SAML Assertion Consumer Endpoint in AD FS on the identity provider.

Worth a shot, anyway :) In mmc on the IdP, add the AD FS snap-in. Then find your SP config under AD FS > Relying Party Trusts. Mine is called Test SSO. Right-click it, choose Properties, then on the Endpoints tab, check that your service provider assertion endpoint URL is listed under SAML Assertion Consumer Endpoints.

My working configuration was

Endpoint type:        SAML Assertion Consumer
Binding:              POST
Default:              Yes
Index:                0
Trusted URL:          https://1337.local/adfs/ls

And Trusted URL was my assertion endpoint on the SP, i.e. where ADFS posts the SAML payload once authenticated.