SAML Request not valid for AzureAD

mmatonok · December 4, 2018, 3:59am

Hi,

I need to add user email to SAMLRequest and I decided go with RequestedAuthnContexts that should be valid xml element for Saml 2.0.
My service provider use componentspace for .net 4.6 framework.
My identity provider use cmponentspance for asp.net core.
All orks fine with my Idp and ServiceProvider.

Problem is with Azure AD, It worked before above change to SAML Request but as soon as I added RequestedAuthnContexts it failed with message:
AADSTS75005: The request is not a valid SAML 2.0 protocol message.

Any advise?
Thanks,
M

Details:
1) generated saml request with RequestedAuthnContexts

//SAMLServiceProvider.InitiateSSO(context.Response, null, samlIdpName, new SSOOptions()
//{
// RequestedAuthnContexts = new string[] {jsonData}
//});

2) SAML request example
Note I added that text into xmlElement {“Email”:“user@test.com”}, can CDATA help?

<samlp:AuthnRequest ID=“_07733dcf-e631-4aab-8999-556cb7d4d2a1” Version=“2.0” IssueInstant=“2018-12-04T11:17:18.126Z” Destination=“https://login.microsoftonline.com/f3d3d42a-7c6d-4a44-aceb-ff9d7839f6df/saml2” ForceAuthn=“false” IsPassive=“false” ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” AssertionConsumerServiceURL=“https://test.coml/assertion.ashx” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”><saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://test.com</saml:Issuer><samlp:NameIDPolicy Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” AllowCreate=“false” />samlp:RequestedAuthnContext<saml:AuthnContextClassRef xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>{“Email”:“user@test.com”}
</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>

ComponentSpace · December 4, 2018, 1:24pm

The RequestedAuthnContexts identifies how you would like the user authenticated.
For example, you would specify “urn:oasis:names:tc:SAML:2.0:ac:classes:Password” if you wanted the user to be authenticated by password.
To specify the user name in the SAML authn request, set the SSOOptions.RequestUserName property.
Please note that not all IdPs will support this information.
I’m not sure whether Azure AD will.