SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations

I’m developing ADFS related project with SAML 2.0 protocol. My application is acting as ServiceProvider. When I typed my credentials and clicked on sign in button, an error occurred. The error statement is An error occurred. Contact your administrator for more information. When I checked the Event Viewer of my windows Server 2012 at which ADFS is installed, it displays the below error detail



Data Saml

Data http://DomainName/adfs/services/trust

Data Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureVerificationException: MSIS7075: SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Please ensure that the SAML authn request sent to ADFS is signed.

To do so, in your saml.config set SignAuthnRequest=“true” for the .

The local certificate/private key configured under the is used to sign the authn request.

Please ensure that the certificate configured in ADFS under the relying party’s properties Signature tab corresponds to the private key used for signing.

below image is Signature Tab under the Relying Party Trust


below image is Certificate which is using into my application(Service Provider) SAML.Config file under tag. Relying Party Trust Signature and Certificate which is using into my application(Service Provider) SAML.Config file under tag, both have same Thumbprint.


below image is SAML.Config file of application(Service Provider)


which certificate needs to be exported as .pfx extention under tag ????

The ADFS signing certificate should be configured as the partner certificate in your saml.config. ADFS will sign SAML messages with its private key and the corresponding partner certificate under the section of saml.config is used to verify these signatures.

Similarly, your service provider will sign SAML messages with the local certificate private key under the section of saml.config. ADFS will use the corresponding certificate configured under the Signature tab of the properties for your relying party.

Therefore, in your example sp.pfx is used to signed messages sent to ADFS. The corresponding sp.cer should be configured under the Signature tab of the relying party.