Active Directory

SAML and Active Directory Federation Services (ADFS) Integration Errors, Events, Possible causes and Fixes

While working on setting up SAML communication with ADFS server/services, you’ll come across various errors on the browser, error events on backend ADFS server and also on the web server that is sending the SAML requests to the ADFS server.  This article is to have most common errors, events and their possible causes and fixes.

 

SCENARIO#1:

ERROR On the Browser:

ADFS UKService

An error occurred

An error occurred. Contact your administrator for more information.

Error details

  • Activity ID: 00000000-0000-0000-2400-0080020000f6
  • Error time: Wed, 30 Sep 2015 09:59:49 GMT

Error Event on the ADFS Server:

Log Name:      AD FS/Admin
Source:        AD FS
Date:          9/30/2015 9:59:49 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          UKService\adfs$
Computer:      ADFSUKServer.UKService.LAN
Description:
Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
https://HRSecure.mycorpsite.com/SAMLPOC

Exception details:
Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust ‘https://HRSecure.mycorpsite.com/SAMLPOC’ is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlSignInContext.Validate()
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Cause:

This error occurs when you attempt to communicate with ADFS server with non-existing or incorrect Relying Party URL.  In this case,  the relying party https://HRSecure.mycorpsite.com/SAMLPOC is not existing or nor yet defined on the ADFS server.

Solution:

Go Ahead and create a new Relying Party with Relying Party Identifier as https://HRSecure.mycorpsite.com/SAMLPOC. image

 

SCENARIO#2:

ERROR On the Browser:

ADFS UKService

An error occurred

An error occurred. Contact your administrator for more information.

Error details

  • Activity ID: 00000000-0000-0000-8500-0080000000f1
  • Relying party: SAMLPOCRelyingParty
  • Error time: Wed, 30 Sep 2015 10:19:37 GMT

Error Events on the ADFS Server:

Log Name:      AD FS/Admin
Source:        AD FS
Date:          9/30/2015 10:19:37 AM
Event ID:      261
Task Category: None
Level:         Error
Keywords:      AD FS
User:          UKService\adfs$
Computer:      ADFSUKServer.UKService.LAN
Description:
The request specified an Assertion Consumer Service URL ‘https://HRSecure.mycorpsite.com/SAMLPOC/Consume.aspx’ that is not  configured on the relying partyhttps://HRSecure.mycorpsite.com/SAMLPOC’.
Assertion Consumer Service URL: https://HRSecure.mycorpsite.com/SAMLPOC/Consume.aspx
Relying party: https://HRSecure.mycorpsite.com/SAMLPOC

This request failed.

User Action
Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party.

Log Name:      AD FS/Admin
Source:        AD FS
Date:          9/30/2015 10:19:37 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          UKService\adfs$
Computer:      ADFSUKServer.UKService.LAN
Description:
Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
https://HRSecure.mycorpsite.com/SAMLPOC

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.AssertionConsumerServiceUrlDoesNotMatchPolicyException: MSIS3200: No AssertionConsumerService is configured on the relying party trusthttps://HRSecure.mycorpsite.com/SAMLPOC’ that is a prefix match of the AssertionConsumerService URLhttps://HRSecure.mycorpsite.com/SAMLPOC/Consume.aspx’ specified by the request.
   at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.LookupAssertionConsumerServiceByUrl(Collection`1 assertionConsumerServices, Uri requestedAssertionConsumerServiceUrl, String scopeIdentity)
   at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.FindSamlResponseEndpointForAuthenticationRequest(Boolean artifactEnabled, AuthenticationRequest request, ScopeDescription scopeDescription)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.GetResponseEndpointFromRequest(SamlRequest request, Boolean isUrlTranslationNeeded, ScopeDescription scope)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Cause:

This error and event logs indicate that the URL https://HRSecure.mycorpsite.com/SAMLPOC/Consume.aspx used as Assertion Consume URL doesn’t match with that of the value configured as Assertion Consume URL for the chosen Relying Party on the ADFS server.

Solution:

Go Ahead and create or update the Assertion Consume URL as https://HRSecure.mycorpsite.com/SAMLPOC/Consume.aspx for your Relying Party (in above case its https://HRSecure.mycorpsite.com/SAMLPOC’) on the ADFS server.                            image

Advertisements