Wednesday, April 18, 2012

ADFS : Problems with SAML and domains


Busy testing a 3rd party SAML provider and getting it to integrate with ADFS.

First tried it on my dev. PC using https://mypc/3rdparty.

All well and good – tick that one off – but then I needed to test it from outside of the dev. domain i.e.

Firstly, got the error:

“MSIS3020: The relying party trust with identifier 'https://xxx/sp' could not be located.”

OK, so off to the RP properties config. in ADFS.

Click on the “Identifiers” tab.

Click on the existing RP identifier and then click “Remove”. This puts the URL in the “Add” box where you can add the “” piece and then click “Add”

So now you have two identifiers; one without the domain and one with.

Ok – lets try that again.

Get the error:

“The request specified an Assertion Consumer Service URL 'https://xxx/sp…' that is not  configured on the relying party 'https://xxx/sp'.

User Action
Use the AD FS 2.0 Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party.”

Mr Google leads to this: AD FS 2.0: "The request specified an Assertion Consumer Service URL that is not configured on the relying party"

and states:

“There are two options:
1. Configure the RP so that AssertionConsumerService is not specified in the AuthnRequest
2. Configure the RP to send a AssertionConsumerService value in the AuthnRequest which matches the AssertionConsumerService value on the Endpoints tab of the RP Trust in AD FS 2.0.”

Hmmm – 1 is not an option because it’s a 3rd party product.

Went with 2.

In the RP properties config. in ADFS.

Click on the “Endpoints” tab.

Under “SAML Assertion Consumer Endpoints”:

In my case there were two with bindings for POST and Artifact.

Click on “Edit”, copy the URL, then click on “Add”. Fix the domain, select the binding and an index number that’s not used.

When I finished I had four entries, two POSTS bindings and Artifact bindings.

And then, verily, it all just worked.



Anonymous said...

hi there. i am getting this same error. what url did you copy to create the new endpoint, and also was it for POST only or all of the options?

nzpcmad said...

As the article says, "Click on “Edit”, copy the URL, then click on “Add”." So I just used the existing configured URL. If I recall correctly, I did it for both Post and Artifact.

Anonymous said...

Thanks for your article, worked for me!

Anonymous said...

Hi there, i'm new to adfs and SAML. Can i understand from you how does the "POST binding" works? Does that mean ADFS will do a POST with saml request to IDP to get the user info?

nzpcmad said...

Pretty much - it's a combination of GET and POST.

Anonymous said...

Thanks very much for your response!

Not sure is my question and understanding correct:

1. In this post, is the 3rd party SAML provider as IDP and ADFS as SP?

2. If ADFS is a SP and have a 3rd party IDP and i have flow below:
a) When user authenticates on IDP
b) ADFS received responses
c) ADFS sends SAML artifact to IDP
d) IDP responded with SAML assertion
Does ADFS required any customization via Code to have step b and step c to works? Or the bindings under “SAML Assertion Consumer Endpoints” is the magic to make them work?

nzpcmad said...

1. Yes
2. No the normal IDP flow is:
ADFS sends AuthnRequest to IDP
IDP asks user to authenticate
IDP sends AuthnResponse with SAML token containing the claims
User authenticated

Is this SP or IDP initiated?
Is this POST or artifact resolution binding?

Anonymous said...

This is IDP initiated using artifact resolution binding.

nzpcmad said...

Very few people use that.

Essentially here an artifact is returned and a back channel (usually SOAP) is used to exchange the artifact for a SAML token.