MSIS7015-HttpSamlMessageException in ADFS 2.1
Hi All
I'm trying to configure WebSphere(SP) with ADFS 2.1(IdP) for SAML SSO.The IdP initiated flow is working fine.But when I try to send a AuthnRequest from WebSphere for a SP initiated login, the autehntication fails with an error message MSIS7015-HttpSamlMessageException:
This request does not contain the expected protocol message or incorrect protocol parameters
were found according to the HTTP SAML protocol bindings.
I have enabled tracing in ADFS and the encoded AuthnRequest is received by ADFS and it is being decoded correctly.But then, ADFS seems to be rejecting that AuthnRequest as being invalid.
So far, I have tried with a couple of AuthnRequest with no success -
1.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="-54f3143a-15165c515c4--7ff7" Version="2.0"
ProviderName="https://portalserver:10262/samlsps/wps" IssueInstant="2015-12-03T04:44:33Z"
Destination="https://adfsserver/adfs/ls/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://portalserver:10262/samlsps/wps">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://portalserver:10262/samlsps/wps</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
2.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xyzId"
Version="2.0" IssueInstant="2015-12-03T05:34:25Z" Destination="https://adfsserver/adfs/ls"
AssertionConsumerServiceURL="https://portalserver:10262/samlsps/wps" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://portalserver:10262/samlsps/wps</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>
Then I took the AuthnRequest for the IdP-initiated flow from the ADFS trace log and modified it as follows but still got the same problem-
Original AuthnRequest for IdP initiated flow that is working successfully -
<samlp:AuthnRequest ID="_e2f0e9f5-c1aa-4126-a3a2-eaa3019e5edb" Version="2.0"
IssueInstant="2015-12-02T00:46:53.575Z"
Destination="https://adfsserver/adfs/ls/"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfsserver:8080/adfs/services/trust</Issuer>
<Conditions xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<AudienceRestriction><Audience>https://momw42l0058.momentum.com:10262/samlsps/wps</Audience></AudienceRestriction>
</Conditions>
</samlp:AuthnRequest>
Modified AuthnRequest for SP initiated flow that doesn't work -
<samlp:AuthnRequest ID="_e2f0e9f5-c1aa-4126-a3a2-eaa3019e5edb" Version="2.0"
IssueInstant="2015-12-02T00:46:53.575Z"
Destination="https://adfsserver/adfs/ls/"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://portalserver:10262/samlsps/wps</Issuer>
<Conditions xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<AudienceRestriction><Audience>https://portalserver:10262/samlsps/wps</Audience></AudienceRestriction>
</Conditions>
</samlp:AuthnRequest>
The error message in ADFS being too generic doesn't explain exactly what is wrong with the AuthnRequest xml.
I'm new to SAML and ADFS and so far not able to create a suitable AuthnRequest for ADFS to initiate the SP flow.
Please help.
Thanks.