Having some trouble getting a Windows Server 2012 R2 implementation of ADFS playing nicely with ComponentSpace for ASP.NET (v2.6.0.19)
I’ve successfully “paired” our Service Provider (component space) with ADFS as an IDP using a metadata exchange and the Relying Party is showing up in ADFS.
When our SP generates an AuthNRequest, I get a “generic” error back from ADFS saying the following:
[quote]Encountered error during federation passive request.
Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)[/quote]
That’s all the logs show, and I’ve checked that the EntityIDs match the AuthNRequest Issuer amongst many other things but the ADFS logging is rather useless even at it’s most verbose.
So, I decided to try an IdP-initiated workflow and although the Assertion looks correct (received on our ACS URL), I’m getting an exception (ComponentSpace.SAML2.Exceptions.SAMLSignatureException) thrown by SAMLMessageSignature.Verify(…) - the actual innerException is: “Malformed reference element.”
The Assertion looks like this (signatures and digests shortened for readability)
[quote]
http://adfs.domain.com/adfs/services/trust
<ds:Signature xmlns:ds=“”>http://www.w3.org/2000/09/xmldsig#“>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=”“>http://www.w3.org/2001/10/xml-exc-c14n#”/>
<ds:SignatureMethod Algorithm=“”>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI=“#_6c679acf-4a1c-4aae-bdf4-579e432c78ba”>
ds:Transforms
<ds:Transform Algorithm=“”>http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm=“”>http://www.w3.org/2001/10/xml-exc-c14n#“/>
</ds:Transforms>
<ds:DigestMethod Algorithm=”“>http://www.w3.org/2001/04/xmlenc#sha256”/>
ds:DigestValuep7pK6RMhT1sI3+hTTT11ZsfKYUxE9vaM9b2WXanT+dw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValuegxvwF0XeQo0vPZXvOm5GpUK/teZgAYU09ZWoXxpFROJUjeQffu1FE4STMLgHIZXHsnbN5vxTw4nIF…csumMPcHIff0UHM7Xr0cPI0p4yYfaVo+CkIyXagsKJ5JBO9fizDPKNVqiV7cK2hojk2Th2a0lp0A==</ds:SignatureValue>
<KeyInfo xmlns=“”>http://www.w3.org/2000/09/xmldsig#“>
ds:X509Data
ds:X509CertificateMIIC3DCCAcSgAwIBAgIQfAAuvmvbEqNAtuc/X4WBTD…+07wUGdAGhUp6a5sktB4zcA==</ds:X509Certificate>
</ds:X509Data>
</ds:Signature>
validuser@domain.int
<SubjectConfirmationData NotOnOrAfter=“2017-10-30T14:17:50.355Z” Recipient=”“>https://test-sp.domain.com/authentication/saml/AssertionConsumerService”/>
https://test-sp.domain.com/authentication/saml/metadata/683c41c6-ff57-41b6-a649-3870044656e8
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
[/quote]
I’ve also read your new ADFS integration document which confirms I’m setting things up correctly as far as I can see.
Any help would be greatly appreciated.
I've successfully "paired" our Service Provider (component space) with ADFS as an IDP using a metadata exchange and the Relying Party is showing up in ADFS.
When our SP generates an AuthNRequest, I get a "generic" error back from ADFS saying the following:
[quote]Encountered error during federation passive request.
Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)[/quote]
That's all the logs show, and I've checked that the EntityIDs match the AuthNRequest Issuer amongst many other things but the ADFS logging is rather useless even at it's most verbose.
So, I decided to try an IdP-initiated workflow and although the Assertion looks correct (received on our ACS URL), I'm getting an exception (ComponentSpace.SAML2.Exceptions.SAMLSignatureException) thrown by SAMLMessageSignature.Verify(...) - the actual innerException is: "Malformed reference element."
The Assertion looks like this (signatures and digests shortened for readability)
[quote]
http://adfs.domain.com/adfs/services/trust
"="">">http://www.w3.org/2000/09/xmldsig#">
"="">">http://www.w3.org/2001/10/xml-exc-c14n#"/>
"="">">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
"="">">http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
"="">">http://www.w3.org/2001/10/xml-exc-c14n#"/>
"="">">http://www.w3.org/2001/04/xmlenc#sha256"/>
p7pK6RMhT1sI3+hTTT11ZsfKYUxE9vaM9b2WXanT+dw=
gxvwF0XeQo0vPZXvOm5GpUK/teZgAYU09ZWoXxpFROJUjeQffu1FE4STMLgHIZXHsnbN5vxTw4nIF.................csumMPcHIff0UHM7Xr0cPI0p4yYfaVo+CkIyXagsKJ5JBO9fizDPKNVqiV7cK2hojk2Th2a0lp0A==
"="">">http://www.w3.org/2000/09/xmldsig#">
MIIC3DCCAcSgAwIBAgIQfAAuvmvbEqNAtuc/X4WBTD...................+07wUGdAGhUp6a5sktB4zcA==
validuser@domain.int
"="">">https://test-sp.domain.com/authentication/saml/AssertionConsumerService"/>
https://test-sp.domain.com/authentication/saml/metadata/683c41c6-ff57-41b6-a649-3870044656e8
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
[/quote]
I've also read your new ADFS integration document which confirms I'm setting things up correctly as far as I can see.
Any help would be greatly appreciated.
I've figured out that I was trying to verify an assertion signature using the static class: SAMLMessageSignature
which throws this exception. I realised that I need to be using: SAMLAssertionSignature.Verify(...)
which throws this exception.
Now I can verify and parse the assertion, I still have the first problem.
I've successfully sent a valid AuthNRequest to Okta, which works fine, so I don't think that there's a problem with the format of the request with ADFS, but clearly there's something wrong as I still get the message about "registered protocol handlers". Thanks...
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning this forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
I’d like to see the authn request being sent to ADFS.
Are there any other related error entries in the Windows event log on the ADFS server?
After working with Mitchell from ComponentSpace (seriously awesome support from this guy!), I finally discovered what the problem was.
ADFS is picky about what it accepts as a valid request, and the error
[quote]MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.[/quote] happens for almost any reason. This can be that the time on the server is different from the IssueInstant, or that there are duplicate cookies, etc.etc.
My product does not use the ComponentSpace API to output the form which ultimately POSTs to the Identity Provider, because of this a small typo crept in and caused the whole problem.
The form parameter we were using was:
[quote]SamlRequest=PHNhbWxwOkF1dGhuUm…[/quote]
And it should have been this:
[quote]SAMLRequest=PHNhbWxwOkF1dGhuUm…[/quote]
The most frustrating part of all of this is the lack of good logging and debugging information in ADFS. They seem utterly disinterested in making improvements (having spoken with technet employees working in ADFS in some capacity). I just hope this solves the problem for someone else if they see this in the future.
Thanks Neil for finding this issue and letting people know.
For anyone looking at this post, please note that there are no issues if you call our API to send the SAML request.
Neil had to use some custom code to send the SAML request and this custom code wasn’t using the correct case for the SAMLRequest query string parameter.
ADFS error messages can be very cryptic which made tracking down the issue difficult.