I'm relatively new to SAML integration, and I've encountered an issue recently that I've been struggling to resolve. I've managed to set up my login page to redirect users to the Identity Provider's (IDP) login page successfully. However, after users enter their credentials on the IDP's login page, they're redirected to an error page.
Upon checking the IDP's activity log, the error indicates a missing signature. The confusing part is that our server configuration doesn't enforce signed requests.
I'd appreciate any insights or suggestions on why this error might be occurring and how I can troubleshoot it effectively. Thank you in advance for your help!
**Error **
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureVerificationException: MSIS7085: The server requires a signed SAML authentication request but no signature is present. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage
**Environment ** On premises ADFS is configured, and request signing is optional. SignedSamlRequestsRequired = False
Relying party Identifiers: https://spdomain/login
SAML Assertion Consumer Endpoints: https://spdomain/web/saml/completed/module.php/saml/sp/saml2-acs.php/default-sp"
SAML Logout Endpoints: https://spdomain/logout
Library: SimpleSAMLPHP
config.php
'enable.saml20-idp' => true,
'enable.shib13-idp' => false,
'enable.adfs-idp' => false,
'enable.authmemcookie' => false,
'shib13.signresponse' => false,
'enable.http_post' => false,
'trusted.url.domains' => [],
authsources.php
'default-sp' => [
'saml:SP',
'entityID' => 'http://idpdomain/adfs/services/trust',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'idp' => 'http://idpdomain/adfs/services/trust/',
'sign.logout' => FALSE,
'redirect.sign' => FALSE,
'assertion.encryption' => FALSE,
'assertion.encryption' => FALSE,
saml20-sp-remote.php
<?php
$metadata["http://idpdomain/adfs/services/trust"] = [
"entityid" => "http://idpdomain/adfs/services/trust",
"contacts" => [
0 => [
"contactType" => "support",
],
],
"metadata-set" => "saml20-sp-remote",
"AssertionConsumerService" => [
0 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
"Location" => "https://idpdomain/adfs/ls/",
"index" => 0,
"isDefault" => true,
],
1 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
"Location" => "https://idpdomain/adfs/ls/",
"index" => 1,
],
2 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"Location" => "https://idpdomain/adfs/ls/",
"index" => 2,
],
],
"SingleLogoutService" => [
0 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"Location" => "https://idpdomain/adfs/ls/",
],
1 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
"Location" => "https://idpdomain/adfs/ls/",
],
],
"NameIDFormat" => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"saml20.sign.assertion" => false,
"saml20.sign.response" => false,
];
saml20-idp-remote.php
<?php
$metadata["http://idpdomain/adfs/services/trust/"] = [
"entityid" => "http://idpdomain/adfs/services/trust/",
"contacts" => [],
"metadata-set" => "saml20-idp-remote",
"sign.authnrequest" => false,
"SingleSignOnService" => [
0 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"Location" => "https://idpdomain/adfs/ls/",
],
1 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
"Location" => "https://idpomain/adfs/ls/",
],
],
"SingleLogoutService" => [
0 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"Location" => "https://idpdomain/adfs/ls/",
],
1 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
"Location" => "https://idpdomain/adfs/ls/",
],
],
"ArtifactResolutionService" => [
0 => [
"Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:SOAP",
"Location" =>
"https://idpdomain/adfs/services/trust/artifactresolution",
"index" => 0,
],
],
"NameIDFormats" => [
0 => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
1 => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
2 => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
],
"keys" => [
0 => [
"encryption" => false,
"signing" => false,
"type" => "X509Certificate",
"X509Certificate" => "MIIC7DCCAdSgAwIBAgIQI... ",
],
1 => [
"encryption" => false,
"signing" => false,
"type" => "X509Certificate",
"X509Certificate" => "MIIC7DCCAdSgAwIBAgIQI... ",
],
2 => [
"encryption" => false,
"signing" => false,
"type" => "X509Certificate",
"X509Certificate" => "MIIC7DCCAdSgAwIBAgIQI...",
],
3 => [
"encryption" => false,
"signing" => false,
"type" => "X509Certificate",
"X509Certificate" => "MIIC7DCCAdSgAwIBAgIQI...",
],
],
];
AuthRequest SAML
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_dbf8087e556ac64a7b701fa945ce627455057e28e5"
Version="2.0"
IssueInstant="2024-03-06T14:56:30Z"
Destination="https://idpdomain/adfs/ls/"
AssertionConsumerServiceURL="https://spdomain/web/saml/completed/module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>http://idpdomain/adfs/services/trust</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="true"
/>
</samlp:AuthnRequest>
RelayState: http://spdomain/web/saml/auth
Despite attempting various parameter adjustments, I haven't had any success thus far. Interestingly, when using the same configuration with Azure, everything functions as expected. However, the issue persists when attempting to integrate with an on-premises setup.
