I’m trying to integrating Example Service provider using ADFS 2.0 using SAML 2.0. Getting the exception when the ADFS post the successful authencation response back to Example service provider. The integration flow as below. SP initiated SSO → ADFS → Identity provider for authentication. IDP sents authentication response to ADFS → ADFS has to post the response back to SP.
“An error SAML response status was received. urn:oasis:names:tc:SAML:2.0:status:Responder”
Stack Trace:
[SAMLErrorStatusException: An error SAML response status was received. urn:oasis:names:tc:SAML:2.0:status:Responder] ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:602 ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:978 ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, IDictionary& attributes, String& relayState) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLServiceProvider.cs:396 ExampleServiceProvider.SAML.AssertionConsumerService.Page_Load(Object sender, EventArgs e) in D:\Skure-me\example\Examples\SSO\HighLevelAPI\WebForms\ExampleServiceProvider\SAML\AssertionConsumerService.aspx.cs:22 System.Web.UI.Control.OnLoad(EventArgs e) +103 System.Web.UI.Control.LoadRecursive() +68 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3811
Help on this is highly appreciated. Thanks, Naveen
Hi Naveen ADFS is returning an error SAML response. The status code “Responder” is a generic value. You need to ask the ADFS admin to check the ADFS specific Windows event log. There should be one or more error events related to this SSO attempt. These should provide the details of the error. The most likely problem is a configuration mismatch. If you’re not sure how to interpret the event log entries, you’re welcome to post them here or contact us by email.
Hello, I am having a similar issue with an Identity Provider (let us say IdP X) and they have shared the Event Log details for the error. I am attaching the screenshots here. According to them the certificate we have provided is not valid or has expired. But we have provided them with same certificate that we gave to other Identity Providers who have not reported any issue and SSO and SLO are working fine for them.
refer to the screenshots from IdP X and our own screenshots of the certificate.
And screenshots of the certificate in question at our end.
I suspect one or more of the Digicert certificates are not stored in the ADFS server’s Windows certificate store. ADFS validates the certificate chain. Not all IdPs do this as it’s quite common to use self-signed certificates. I suggest supplying the full certificate chain to the IdP so they can import all the certificates.
I suspect one or more of the Digicert certificates are not stored in the ADFS server's Windows certificate store. ADFS validates the certificate chain. Not all IdPs do this as it's quite common to use self-signed certificates. I suggest supplying the full certificate chain to the IdP so they can import all the certificates.
[/quote]
I am not sure what you mean by full certificate chain. Can you please explain a little and how can I supply full chain of certificates? What we usually do is send the IdP a .CER file that is being used which they configure in their ADFS for Signing and Encryption. Please suggest.
The full certificate chain includes the DigiCert intermediate and root certificates. These certificates must be installed on the ADFS server so it can validate the certificate chain. You might find that the root certificate already is installed in the ADFS server’s certificate store under the Trusted Root Certification Authorities folder. However, the intermediate DigiCert presumably isn’t. This should be stored in the Intermediate Certification Authorities folder in the ADFS server’s certificate store. I suggest exporting both of these DigiCert certificates from your certificate store as base-64 encoded .CER files and supplying them to the ADFS server admin. They should import them into their Windows certificate store as described above. Once done, the certificate path should be the same as you see and with the “certificate is OK” status.
