Symptoms
- AD FS 2.0 is the Relying Party (RP)
- An error occurs while consuming a security token from a trusted Claims Provider (CP)
- The AD FS 2.0 Tracing/Debug log shows an event similar to the following:
Log Name:
AD FS 2.0 Tracing/Debug
Source: AD FS 2.0 Tracing
Date: 4/8/2011 8:48:24 AM
Event ID:
47
Task Category: None
Level: Error
Keywords: ADFSSamlProtocol
User: NETWORK SERVICE
Computer: <DNS-Name>
Description:
Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolException:
MSIS1022: Cannot process SAML Response from ''.
Inner exception: ID6008: Cannot resolve the '' URI in the signature to compute the digest.
at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.CreateSubject(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.GetEffectivePrincipal(SecurityTokenElement securityTokenElement)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
Cause
- The Claims Provider is signing either the protocol message, the assertion, or
both, and they are not providing an appropriate Reference URI value within the
Signature section(s).
Resolution
- The Claims Provider has the option of digitally signing the protocol message, the assertion, or both
- The SAML Response is required to have an ID property
- The SAML Assertion is required to have an ID property
- If the SAML Response is signed, its Signature portion must have a Reference URI value which equals the SAML Response ID value
- If the SAML Assertion is signed, its Signature portion must have a Reference URI value which equals the SAML Assertion ID value
- The Claims Provider must make changes on their side in order to enable the Reference URI to be populated with an appropriate value
More Information
Snippet of appropriate signed SAML Response:
<Response
IssueInstant="2011-04-04T00:46:02Z" Version="2.0"
ID="_c7055387-af61-4fce-8b98-e2927324b306"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>https://www.contoso.com/IDP"</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_c7055387-af61-4fce-8b98-e2927324b306">
<ds:Transforms>
....
Snippet of appropriate signed SAML Assertion:
<Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
IssueInstant="2011-04-04T00:46:02Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://w">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_c7055387-af61-4fce-8b98-e2927324b306">
<ds:Transforms>
....
Snippet of appropriate signed SAML Assertion:
<Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
IssueInstant="2011-04-04T00:46:02Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer&ww.contoso.com/IDP</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
....