Otdfbt

US F1 Visa grace period attending a conference

Does a windmilling propeller create more drag than a stopped propeller in an engine out scenario?

400–430 degrees Celsius heated bath

Hotel booking: Why is Agoda much cheaper than booking.com?

How can I prevent Bash expansion from passing files starting with "-" as argument?

Does the Aboleth have expertise in History and Perception?

What city and town structures are important in a low fantasy medieval world?

Is it wise to pay off mortgage with 401k?

If the Charles SSL Proxy shows me sensitive data, is that data insecure/exposed?

Separate the element after every 2nd ',' and push into next row in bash

What should I wear to go and sign an employment contract?

Why "strap-on" boosters, and how do other people say it?

Is there a word for pant sleeves?

why "American-born", not "America-born"?

How do we properly manage transitions within a descriptive section?

Existence of a model of ZFC in which the natural numbers are really the natural numbers

How could Dwarves prevent sand from filling up their settlements

Presenting 2 results for one variable using a left brace

Was murdering a slave illegal in American slavery, and if so, what punishments were given for it?

Is there a way to generate a mapping graph like this?

Is there a realtime, uncut video of Saturn V ignition through tower clear?

How to become an Editorial board member?

Connecting circles clockwise in TikZ

How do we explain the use of a software on a math paper?

ADFS Signing error

ADFS 2.0 Errors Event ID 184 & 364ADFS Encountered error during federation passive requestADFS SAML Single LogoutADFS and relying party token-signing certificatesHow to configure ADFS 2.0 to send SAML 2.0 token when using WS-FederationWhat is ADFS (Active Directory Federation Services)?ADFS 3 WAP Pre-auth error 511 - 364Why do I get “InvalidNameIdPolicyException: MSIS7070” when authenticating via ADFS?Can we configure ADFS for IDP initiated SSOAD FS - Having Federated Web SSO, the Account partner fails to login to SharePoint, whereas Resource partner is OK

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

We have an ADFS server up and running that we use for SSO for Skype in the cloud, which works without an issue. Recently, we've set up a relying party trust with an external partner, who use their own federated service (one that they've written/configured themselves). They are the resource partner and we are the IDP

When trying to access their application, we are hitting their web site but we're unable to log in. In AD FS Admin event log, we see the following 2 events;

Event ID 303 - The federation Service encountered and error while processing the SAML authentication request : MSIS0037: No signature verification certificate found for issuer 'https://xxxxxxxxx.com'

Event ID 364 - Encountered error during federation passive request : MSIS0037: No signature verification certificate found for issuer 'https://xxxxxxxxx.com'

The properties of the relying party trust have SignedSAMLRequestsRequired set to False and SamlResponseSignature set to False.

I'm a little confused as to how to troubleshoot this. I'm assuming that my ADFS server is expecting a signed SAML authentication request but is unable to validate the signature. Could someone explain to me exactly what the identifier does in the RPT configuration?

TIA

adfs

share|improve this question

asked Jun 19 '17 at 14:55

Paul GPaul G

112

migrated from security.stackexchange.com Jun 19 '17 at 16:36

This question came from our site for information security professionals.

add a comment | 

0

We have an ADFS server up and running that we use for SSO for Skype in the cloud, which works without an issue. Recently, we've set up a relying party trust with an external partner, who use their own federated service (one that they've written/configured themselves). They are the resource partner and we are the IDP

When trying to access their application, we are hitting their web site but we're unable to log in. In AD FS Admin event log, we see the following 2 events;

Event ID 303 - The federation Service encountered and error while processing the SAML authentication request : MSIS0037: No signature verification certificate found for issuer 'https://xxxxxxxxx.com'

Event ID 364 - Encountered error during federation passive request : MSIS0037: No signature verification certificate found for issuer 'https://xxxxxxxxx.com'

The properties of the relying party trust have SignedSAMLRequestsRequired set to False and SamlResponseSignature set to False.

I'm a little confused as to how to troubleshoot this. I'm assuming that my ADFS server is expecting a signed SAML authentication request but is unable to validate the signature. Could someone explain to me exactly what the identifier does in the RPT configuration?

TIA

adfs

share|improve this question

asked Jun 19 '17 at 14:55

Paul GPaul G

112

migrated from security.stackexchange.com Jun 19 '17 at 16:36

This question came from our site for information security professionals.

add a comment | 

We have an ADFS server up and running that we use for SSO for Skype in the cloud, which works without an issue. Recently, we've set up a relying party trust with an external partner, who use their own federated service (one that they've written/configured themselves). They are the resource partner and we are the IDP

When trying to access their application, we are hitting their web site but we're unable to log in. In AD FS Admin event log, we see the following 2 events;

Event ID 303 - The federation Service encountered and error while processing the SAML authentication request : MSIS0037: No signature verification certificate found for issuer 'https://xxxxxxxxx.com'

Event ID 364 - Encountered error during federation passive request : MSIS0037: No signature verification certificate found for issuer 'https://xxxxxxxxx.com'

The properties of the relying party trust have SignedSAMLRequestsRequired set to False and SamlResponseSignature set to False.

I'm a little confused as to how to troubleshoot this. I'm assuming that my ADFS server is expecting a signed SAML authentication request but is unable to validate the signature. Could someone explain to me exactly what the identifier does in the RPT configuration?

TIA

adfs

share|improve this question

asked Jun 19 '17 at 14:55

Paul GPaul G

112

share|improve this question

asked Jun 19 '17 at 14:55

Paul GPaul G

112

share|improve this question

asked Jun 19 '17 at 14:55

Paul GPaul G

112

asked Jun 19 '17 at 14:55

Paul GPaul G

112

asked Jun 19 '17 at 14:55

Paul GPaul G

112

1 Answer
1

active

oldest

votes

0

According to the documentation on Technet for Set-ADFSRelyingPartyTrust, SAMLResponseSignature "[s]pecifies the response signatures that the relying party expects" (and doesn't accept "False" as argument). Thus it won't do what you want it to do (the service is the relying party, not ADFS).

Also, SignedSAMLRequestsRequired means, it will accept unsigned requests and not signed requests whose signatures couldn't be verified.

So, I'd have a look at the certificate used by the service, especially if it is trusted by your ADFS server. My guess is, it's either self-signed or signed by an internal CA.

share|improve this answer

answered Jun 19 '17 at 17:10

PaterSiulPaterSiul

25616

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What SAML signing is set on the RP side? Have you imported a signing certificate supplied by the RP?
  
  – nzpcmad
  Jun 19 '17 at 19:20
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the response, PaterSiul. First off, the SAMLResponseSignature is set to AssertionOnly and not False (my error).
  
  – Paul G
  Jun 20 '17 at 14:41
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This brings me back to one thing that I don't understand. On the RPT in ADFS, I have an identifier set up pointing to one of their sites (https). What role does the identifier and its certificate have the communication process for claims? By this I mean, I have certificates set up for encrypting/decrypting tokens, a certificate for signing tokens and a server communication certificate. When a user/claim is redirected to our ADFS server, with an authentication request token, is the identifier specified in the RPT contacted in any way to check its certificate?
  
  – Paul G
  Jun 20 '17 at 14:43
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  nzpcmad. Thanks for your response as well. I will speak to the RP and get as much information as possible.
  
  – Paul G
  Jun 20 '17 at 14:43
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The identifier in the response is used by the service provider to verify that the claim it receives is actually for said service provider (and not for some other service the user might have access to). Certificates are used for HTTPS between the user and both the IdP and the SP, for signing the request (by the SP) and for signing the response (by the IdP). Certificates can also be used to encrypt either the request or the response or both, but that's only necessary if you want to keep the information from the user. TLS via HTTPS protects the information from the rest of the world.
  
  – PaterSiul
  Jun 20 '17 at 20:09
  

  
  
  
  

 | 
show 3 more comments

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f856666%2fadfs-signing-error%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

According to the documentation on Technet for Set-ADFSRelyingPartyTrust, SAMLResponseSignature "[s]pecifies the response signatures that the relying party expects" (and doesn't accept "False" as argument). Thus it won't do what you want it to do (the service is the relying party, not ADFS).

Also, SignedSAMLRequestsRequired means, it will accept unsigned requests and not signed requests whose signatures couldn't be verified.

So, I'd have a look at the certificate used by the service, especially if it is trusted by your ADFS server. My guess is, it's either self-signed or signed by an internal CA.

share|improve this answer

answered Jun 19 '17 at 17:10

PaterSiulPaterSiul

25616

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What SAML signing is set on the RP side? Have you imported a signing certificate supplied by the RP?
  
  – nzpcmad
  Jun 19 '17 at 19:20
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the response, PaterSiul. First off, the SAMLResponseSignature is set to AssertionOnly and not False (my error).
  
  – Paul G
  Jun 20 '17 at 14:41
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This brings me back to one thing that I don't understand. On the RPT in ADFS, I have an identifier set up pointing to one of their sites (https). What role does the identifier and its certificate have the communication process for claims? By this I mean, I have certificates set up for encrypting/decrypting tokens, a certificate for signing tokens and a server communication certificate. When a user/claim is redirected to our ADFS server, with an authentication request token, is the identifier specified in the RPT contacted in any way to check its certificate?
  
  – Paul G
  Jun 20 '17 at 14:43
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  nzpcmad. Thanks for your response as well. I will speak to the RP and get as much information as possible.
  
  – Paul G
  Jun 20 '17 at 14:43
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The identifier in the response is used by the service provider to verify that the claim it receives is actually for said service provider (and not for some other service the user might have access to). Certificates are used for HTTPS between the user and both the IdP and the SP, for signing the request (by the SP) and for signing the response (by the IdP). Certificates can also be used to encrypt either the request or the response or both, but that's only necessary if you want to keep the information from the user. TLS via HTTPS protects the information from the rest of the world.
  
  – PaterSiul
  Jun 20 '17 at 20:09
  

  
  
  
  

 | 
show 3 more comments

0

According to the documentation on Technet for Set-ADFSRelyingPartyTrust, SAMLResponseSignature "[s]pecifies the response signatures that the relying party expects" (and doesn't accept "False" as argument). Thus it won't do what you want it to do (the service is the relying party, not ADFS).

Also, SignedSAMLRequestsRequired means, it will accept unsigned requests and not signed requests whose signatures couldn't be verified.

So, I'd have a look at the certificate used by the service, especially if it is trusted by your ADFS server. My guess is, it's either self-signed or signed by an internal CA.

share|improve this answer

answered Jun 19 '17 at 17:10

PaterSiulPaterSiul

25616

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What SAML signing is set on the RP side? Have you imported a signing certificate supplied by the RP?
  
  – nzpcmad
  Jun 19 '17 at 19:20
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the response, PaterSiul. First off, the SAMLResponseSignature is set to AssertionOnly and not False (my error).
  
  – Paul G
  Jun 20 '17 at 14:41
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This brings me back to one thing that I don't understand. On the RPT in ADFS, I have an identifier set up pointing to one of their sites (https). What role does the identifier and its certificate have the communication process for claims? By this I mean, I have certificates set up for encrypting/decrypting tokens, a certificate for signing tokens and a server communication certificate. When a user/claim is redirected to our ADFS server, with an authentication request token, is the identifier specified in the RPT contacted in any way to check its certificate?
  
  – Paul G
  Jun 20 '17 at 14:43
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  nzpcmad. Thanks for your response as well. I will speak to the RP and get as much information as possible.
  
  – Paul G
  Jun 20 '17 at 14:43
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The identifier in the response is used by the service provider to verify that the claim it receives is actually for said service provider (and not for some other service the user might have access to). Certificates are used for HTTPS between the user and both the IdP and the SP, for signing the request (by the SP) and for signing the response (by the IdP). Certificates can also be used to encrypt either the request or the response or both, but that's only necessary if you want to keep the information from the user. TLS via HTTPS protects the information from the rest of the world.
  
  – PaterSiul
  Jun 20 '17 at 20:09
  

  
  
  
  

 | 
show 3 more comments

According to the documentation on Technet for Set-ADFSRelyingPartyTrust, SAMLResponseSignature "[s]pecifies the response signatures that the relying party expects" (and doesn't accept "False" as argument). Thus it won't do what you want it to do (the service is the relying party, not ADFS).

Also, SignedSAMLRequestsRequired means, it will accept unsigned requests and not signed requests whose signatures couldn't be verified.

So, I'd have a look at the certificate used by the service, especially if it is trusted by your ADFS server. My guess is, it's either self-signed or signed by an internal CA.

share|improve this answer

answered Jun 19 '17 at 17:10

PaterSiulPaterSiul

25616

share|improve this answer

answered Jun 19 '17 at 17:10

PaterSiulPaterSiul

25616

answered Jun 19 '17 at 17:10

PaterSiulPaterSiul

25616

answered Jun 19 '17 at 17:10

PaterSiulPaterSiul

25616