I’m building an application (Service Provider) that works with an IDP (ADFS based) that I don’t control I set up the saml.config and am successfully logging into my application, having been authenticated by the IDP. In other words, my AssertionConsumerService.aspx is being called properly. However, when a user logs out and I call InitateSLO, I get redirected to an IDP error page. The owner of the IDP reports the error log entry showing the following type of message related to this error:
The request specified an Assertion Consumer Service URL ‘http://localhost/SAML/AssertionConsumerService.aspx’ that is not configured on the relying party ‘https://myspplication.com’.
The metadata entry I provided to the IDP for AssertionConsumerService looks like the following:
<md:AssertionConsumerService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=“”>https://myapplication.com/SAML/AssertionConsumerService.aspx" index=“0” isDefault=“true” />
My saml.config looks like the following:
<?xml version="1.0"?>
<SAMLConfiguration xmlns=“urn:componentspace:SAML:2.0:configuration”>
<ServiceProvider
Description=“MyApplication”
<LocalCertificates>
<Certificate FileName=“Certificates\myapplication.pfx” Password=“myapplicationpassword”/>
</LocalCertificates>
</ServiceProvider>
<PartnerIdentityProviders>
<PartnerIdentityProvider
Description=“MyIDP Provider”
SignAuthnRequest=“true”
<PartnerCertificates>
<Certificate FileName=“Certificates\MyIDPSigningCert.cer”/>
</PartnerCertificates>
</PartnerIdentityProvider>
</PartnerIdentityProviders>
</SAMLConfiguration>
I’m using the IntiateSLO, so the component is creating the request. Any thoughts on where the localhost path is coming from in the reported error? It is not anything the I specified.
Any help would be appreciated?
The error about the assertion consumer service URL can occur during SP-initiated SSO rather than SLO. The SAML authn request that’s sent when you call SAMLServiceProvider.InitiateSSO includes your assertion consumer service URL. This URL is the AssertionConsunerServiceUrl from your saml.config. Alternatively, there is a SAMLServiceProvider.InitiateSSO overload where you can specify this URL.
ADFS performs a check when processing the SAML authn request. The specified assertion consumer service URL must match one of the URLs configured for your relying party. If it doesn’t, it logs the error you see and returns a SAML response with an error status.
When you call SAMLServiceProvider.ReceiveSSO, if the SAML response status isn’t success we throw an exception.
Please check that you’re not specifying the assertion consumer service URL as a parameter to SAMLServiceProvider.InitiateSSO.
Are you seeing an exception being thrown by SAMLServiceProvider.ReceiveSSO?
For SLO, ADFS requires that the SAML logout messages are signed.
Please update your saml.config to specify SignLogoutRequest=“true” and SignLogoutResponse=“true” for your .
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace