Windows Azure Platform >
Custom STS & Azure ACS error ACS50008: Invalid SAML token.

Answered Custom STS & Azure ACS error ACS50008: Invalid SAML token.

  • Monday, February 13, 2012 1:12 PM
     
     
    Sign In to Vote
    4

    Hi all,

    I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.

    • Error Code ACS20001: An error occurred while processing a WS-Federation sign-in response.
    • Error Code ACS50008: SAML token is invalid.

    I have searched through the forums but in my case I dont get any more detail on the error and do not know how to proceed and fix this.

    My STS is currently on beta and can be reached here: metadata .

    If anyone has any suggestions or wants to give it a try please contact me via email and I will open a demo login on my custom provider.

    note: The case is different from a similar question found here since my inner exception details do not suggest any reason.

    Thanks in advance,

    Constantinos

    Constantinos Leftheris. http://www.indice.gr




    • Edited by Indice Monday, February 13, 2012 1:14 PM
    • Edited by Indice Monday, February 13, 2012 1:17 PM
    • Edited by Indice Monday, February 13, 2012 1:25 PM
    •  
     

All Replies

  • Monday, February 13, 2012 5:28 PM
     
     
    Sign In to Vote
    0

    Does your STS work with any other RP's? Have you tried going directly from your STS to your app?

    The particular error you are receiving isn't very helpful because it could be caused by a few things. By the sounds of it the token received either has bad XML or it isn't signed, or it's missing a few key pieces. Can you run a test and show us the token as it crosses the wire using something like Fiddler?

    Developer Security MVP | www.syfuhs.net

     
  • Monday, February 13, 2012 6:37 PM
     
      Has Code
    Sign In to Vote
    0

    Hi Steve,

    yes I have tried going directly with no problem using a sample client.

    I followed your advice and used fiddler to track the process.

    here is the post body to the acs:

    • wa : wsignin1.0
    • wctx: pr=wsfederation&rm=http%3a%2f%2flocalhost%3a6643%2f&ry=http%3a%2f%2flocalhost%3a6643%2fsyndesi&cx=http%3a%2f%2flocalhost%3a6643%2fsyndesi
    • wresult : 
    <trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
  <trust:RequestSecurityTokenResponse Context="pr=wsfederation&amp;rm=http%3a%2f%2flocalhost%3a6643%2f&amp;ry=http%3a%2f%2flocalhost%3a6643%2fsyndesi&amp;cx=http%3a%2f%2flocalhost%3a6643%2fsyndesi">
    <trust:Lifetime>
      <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-02-13T18:14:17.081Z</wsu:Created>
      <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-02-13T19:14:17.081Z</wsu:Expires>
    </trust:Lifetime>
    <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
        <Address>https://ecosense.accesscontrol.windows.net/</Address>
      </EndpointReference>
    </wsp:AppliesTo>
    <trust:RequestedSecurityToken>
      <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_5d8a3861-7125-481c-b81b-a39c22e0d1e3" Issuer="https://login.xo.gr/" IssueInstant="2012-02-13T18:14:17.144Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
        <saml:Conditions NotBefore="2012-02-13T18:14:17.081Z" NotOnOrAfter="2012-02-13T19:14:17.081Z">
          <saml:AudienceRestrictionCondition>
            <saml:Audience>https://ecosense.accesscontrol.windows.net/</saml:Audience>
          </saml:AudienceRestrictionCondition>
        </saml:Conditions>
        <saml:AttributeStatement>
          <saml:Subject>
            <saml:SubjectConfirmation>
              <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
          </saml:Subject>
          <saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
            <saml:AttributeValue>sso@indice.gr</saml:AttributeValue>
          </saml:Attribute>
          <saml:Attribute AttributeName="authentication" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
            <saml:AttributeValue>Forms</saml:AttributeValue>
          </saml:Attribute>
          <saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
            <saml:AttributeValue>Manager</saml:AttributeValue>
          </saml:Attribute>
        </saml:AttributeStatement>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_5d8a3861-7125-481c-b81b-a39c22e0d1e3">
              <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
              </ds:Transforms>
              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
              <ds:DigestValue>kO91kO/L8.....</ds:DigestValue>
            </ds:Reference>
          </ds:SignedInfo>
          <ds:SignatureValue>re4NjNyuMf2.....</ds:SignatureValue>
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
              <X509Certificate>MIIFdTCCBF2gAw.....</X509Certificate>
            </X509Data>
          </KeyInfo>
        </ds:Signature>
      </saml:Assertion>
    </trust:RequestedSecurityToken>
    <trust:RequestedAttachedReference>
      <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_5d8a3861-....</o:KeyIdentifier>
      </o:SecurityTokenReference>
    </trust:RequestedAttachedReference>
    <trust:RequestedUnattachedReference>
      <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_5d8a3861-....</o:KeyIdentifier>
      </o:SecurityTokenReference>
    </trust:RequestedUnattachedReference>
    <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
    <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
    <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
  </trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>

    Constantinos Leftheris. http://www.indice.gr


    • Edited by Indice Monday, February 13, 2012 6:48 PM
    •  
     
  • Tuesday, February 14, 2012 9:23 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Please use fiddler to look into the response returned by ACS. Are you able to see other error description besides the ACS5008? Please post the response here.

    If there is no additional useful information one possible reason is the time of the client mismatches the time of ACS, namely NotBefore below is a time in future when looked by ACS.

     <saml:Conditions NotBefore="2012-02-13T18:14:17.081Z" NotOnOrAfter="2012-02-13T19:14:17.081Z">
    If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour, for instance.

    http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.securitytokenmessage.lifetime.aspx

    The timestamp in response can help you verify. At last, if you still cannot get it resolved you can contact our support and provide the TraceID (contained in response):

    http://www.windowsazure.com/en-us/support/contact/

    Allen Chen [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.




     
  • Wednesday, February 15, 2012 9:09 AM
     
      Has Code
    Sign In to Vote
    0

    Hi thanks for your response,

    it seems you got a point so I checked all the dates and made the a small time shift there just in case. Unfortunately I still get the same error as before. Maybe I am missing something here so here is what I got this time:

    Here are all the dates:

    ResponseTimestamp ="2012-02-15 08:48:13Z"

    wsu:Created       ="2012-02-15T08:38:09.601Z"
    wsu:Expires       ="2012-02-15T09:48:09.601Z"
    IssueInstant      ="2012-02-15T08:48:09.663Z"
    NotBefore         ="2012-02-15T08:38:09.601Z"
    NotOnOrAfter      ="2012-02-15T09:48:09.601Z"

    The response with the json error:

    ACS_response:
{
"context":			"http://localhost:6643/syndesi",
"httpReturnCode":	401,
"identityProvider":	null,
"timeStamp":		"2012-02-15 08:48:13Z",
"traceId":			"ebd11dab-0673-442f-9f34-a51f4815abcb",
"errors":			[{"errorCode":"ACS20001","errorMessage":"An error occurred while processing a WS-Federation sign-in response."},
 {"errorCode":"ACS50008","errorMessage":"SAML token is invalid."}]
}


    The request:

    • wa : wsignin1.0
    • wctx: pr=wsfederation&rm=http%3a%2f%2flocalhost%3a6643%2f&ry=http%3a%2f%2flocalhost%3a6643%2fsyndesi&cx=http%3a%2f%2flocalhost%3a6643%2fsyndesi
    • wresult : 
    <trust:requestsecuritytokenresponsecollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
  <trust:requestsecuritytokenresponse Context="pr=wsfederation&rm=http%3a%2f%2flocalhost%3a6643%2f&ry=http%3a%2f%2flocalhost%3a6643%2fsyndesi&cx=http%3a%2f%2flocalhost%3a6643%2fsyndesi">
    <trust:lifetime>
      <wsu:created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-02-15T08:38:09.601Z</wsu:created>
      <wsu:expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-02-15T09:48:09.601Z</wsu:expires>
    </trust:lifetime>
    <wsp:appliesto xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <endpointreference xmlns="http://www.w3.org/2005/08/addressing">
        
    https://ecosense.accesscontrol.windows.net/
    
      </endpointreference>
    </wsp:appliesto>
    <trust:requestedsecuritytoken>
      <saml:assertion AssertionID="_c84e5721-...." IssueInstant="2012-02-15T08:48:09.663Z" Issuer="https://login.xo.gr/" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
        <saml:conditions NotBefore="2012-02-15T08:38:09.601Z" NotOnOrAfter="2012-02-15T09:48:09.601Z">
          <saml:audiencerestrictioncondition>
            <saml:audience>https://ecosense.accesscontrol.windows.net/</saml:audience>
          </saml:audiencerestrictioncondition>
        </saml:conditions>
        <saml:attributestatement>
          <saml:subject>
            <saml:subjectconfirmation>
              <saml:confirmationmethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:confirmationmethod>
            </saml:subjectconfirmation>
          </saml:subject>
          <saml:attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
            <saml:attributevalue>sso@indice.gr</saml:attributevalue>
          </saml:attribute>
          <saml:attribute AttributeName="authentication" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
            <saml:attributevalue>Forms</saml:attributevalue>
          </saml:attribute>
          <saml:attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
            <saml:attributevalue>Manager</saml:attributevalue>
          </saml:attribute>
        </saml:attributestatement>
        <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:signedinfo>
            <ds:canonicalizationmethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:canonicalizationmethod>
            <ds:signaturemethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:signaturemethod>
            <ds:reference URI="#_c84e5721-....">
              <ds:transforms>
                <ds:transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:transform>
                <ds:transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:transform>
              </ds:transforms>
              <ds:digestmethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:digestmethod>
              <ds:digestvalue>U970k1....</ds:digestvalue>
            </ds:reference>
          </ds:signedinfo>
          <ds:signaturevalue>fUMa36Fmr....</ds:signaturevalue>
          <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <x509data>
              <x509certificate>MIIFdTCCB....</x509certificate>
            </x509data>
          </keyinfo>
        </ds:signature>
      </saml:assertion>
    </trust:requestedsecuritytoken>
    <trust:requestedattachedreference>
      <o:securitytokenreference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <o:keyidentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_c84e5721-....</o:keyidentifier>
      </o:securitytokenreference>
    </trust:requestedattachedreference>
    <trust:requestedunattachedreference>
      <o:securitytokenreference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <o:keyidentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_c84e5721-....</o:keyidentifier>
      </o:securitytokenreference>
    </trust:requestedunattachedreference>
    <trust:tokentype>urn:oasis:names:tc:SAML:1.0:assertion</trust:tokentype>
    <trust:requesttype>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:requesttype>
    <trust:keytype>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:keytype>
  </trust:requestsecuritytokenresponse>
</trust:requestsecuritytokenresponsecollection>

    Any thoughts?

    Thanks,

    C.

    Constantinos Leftheris. http://www.indice.gr


    • Edited by Indice Wednesday, February 15, 2012 9:38 AM
    •  
     
  • Wednesday, February 15, 2012 5:53 PM
     
     
    Sign In to Vote
    0
    Working with Constantinos regarding this issue. It looks like the problem is with Issuer name ( Issuer="https://login.xo.gr/" ). Will post the final assessment of the issue once the issue is resolved.
     
  • Thursday, February 16, 2012 4:08 PM
     
     Answered
    Sign In to Vote
    1
    Issue got resolved after modifying the issuer to https://login.xo.gr with out trailing slash in the end.