Requested Authentication Method is not supported on the STS

windows-authentication saml saml-2.0 adfs adfs3.0
Rastko picture Rastko · Jun 21, 2015 · Viewed 7.7k times · Source

Our Java app is federated with customers ADFS 3.0 server. There is an issue after sending authentication requests (SP initiated) to ADFS server over SAMLP. It is for intranet use case, where windows authentication was specified on ADFS server in authentication policy. SP app is using ForgeRock's Fedlet library that is forcibly sending RequestedAuthnContext attribute withing SAML authentication request :

samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                             Comparison="exact"
                             >
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

We had initially also issue with extranet authentication, where Forms authentication was selected on ADFS. We have solved that with adding Claim custom rule for our RP :

exists([Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password");

Now we are stacked down with intranet use case. On ADFS side we got following error :

MSIS7102: Requested Authentication Method is not supported on the STS.
   at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Could I add/do something for it ? Is it possible to say in custom rules IF IT IS INTRANET, AUTH METHOD IS WINDOWS or something like that?

Answer

Andrew K. picture Andrew K. · Jun 21, 2015

You could always try authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified", which should let the IdP choose whatever it can use. As the SP, you don't really know (and should you care?) which methods are available to the IdP...

Related questions

Connection string using Windows Authentication

I am creating a website, but in the database I use windows authentication. I know that you use this for SQL authentication <connectionStrings> <add name="NorthwindContex" connectionString="data source=localhost; initial catalog=northwind;persist security info=True; …

Read More
Receiving login prompt using integrated windows authentication

I have a .NET 3.5 application running under IIS 7 on Windows 2003 server and cannot get integrated windows authentication working properly as I continue to get prompted for a login. I have set Windows Authentication to enabled in IIS with all other …

Read More
IIS7 folder permissions for web application

I am using windows authentication without impersonation on my company's intranet website with IIS7. Under IIS7, what account is used to access the folder which contains my web app using these settings? Would it be IIS_IUSRS? Or NETWORK SERVICE? …

Read More