none
SAML 2 authentication request sent from ADFS failing in IDP side

    General discussion

  • SAML 2 authentication request is failing on the weblogic server which supports SAML 2.0

    Here is the error - Why is ADFS enccrypting the auth reuqest?

     

    Also, how do i generate the SAML 2.0 metadata xml file from ADFS?

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <Request URI: /saml2/idp/

    sso/redirect>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <Method: GET>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <Query string: SAMLReques

    t=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%

    2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9Ol638%2bWr%2fBet86ZNz55%2b9lEx2559%2buD%2bw%2f3Z%2bfb5

    wfl0e38ne7CdPfh0uj15mJ0%2fvPfg4e7u5N5H6U%2fmdVNUy88%2b2hvvfJSeNc06P1s2bbZs6aOd3Z3tnXvbe5%2b%2b2d1%2f

    tHfv0b298af3Hv7UR%2blT6qdYZi2%2fOW%2fbVfPo7t3dh3vj3U8Pxgc7491HD3Z29u4Cub27xWx1t2mqu3U%2bK%2bp82n6Unl

    TLJkcP63r5qMqaonm0zBZ586idPnp9%2fMXzR4TMo6k0erReNqt8WpwX%2beyj9N2iXDaPeNCb317VVVtNq%2fKjo8c8qFpe3fxS

    1jR5jUF9dIRB0ZjKapqV86pp72az8%2bYufX1ZTPPmbluvm%2fbxXQF9pLPwggCePX1ZlcX0On1W1YtswxB3iUj4hGbqnJuGAz0u

    y%2brqpM6zNv%2fsI%2bot%2fyi9e%2fT4bn%2b6j%2f4f&RelayState=3d0a0d5c-fb07-4131-a7a8-13dbd98e62c8&Signa

    ture=XK6eaWGNmmM9F2Bc4cJtIwnfAl5%2bcuSwQNDY4Z3y6ZWnAzM0zuorAjsjfa853JSSvV8QBSq2DUD7sOAbYLB7IPsRrKPwY

    e1ErtyVt4JYr0C%2bjz2oCRoV9o6FjJge%2b%2fycxWBy%2fXVSMseSBsNQh3dQzbbrRjExUpwF6H%2fOF1mhXGNX8q0FdotAFU2

    1myin2iFpxNtVtRzhzvh2Ruwq8QZv8%2fD1jgUVuJulwqGvYZt92TjpipIuDH%2fjVfFl8VsOlBdnYMA93bgqBo9JTDvxuv39xCa

    SKkArt6BU9VbB9yuMRE9jKNUmhIhxv5iorjN2uqIfHSJ%2bCo8Oug74qKwI1YCwLw%3d%3d&SigAlg=http%3a%2f%2fwww.w3.o

    rg%2f2001%2f04%2fxmldsig-more%23rsa-sha256>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <    Accept: image/gif, i

    mage/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xa

    ml+xml, application/x-ms-xbap, */*>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <    Accept-Language: en-

    us>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <    User-Agent: Mozilla/

    4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3

    .5.30729; .NET CLR 3.0.30729)>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <    Accept-Encoding: gzi

    p, deflate>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <    Host: 192.168.80.1:7

    002>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <    Connection: Keep-Ali

    ve>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <    Cache-Control: no-ca

    che>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <get SAMLRequest from htt

    p request, value:7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z289957773

    33nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9Ol638+Wr/Bet86ZNz55+9lEx2559+uD+w/3Z+fb5wfl

    0e38ne7CdPfh0uj15mJ0/vPfg4e7u5N5H6U/mdVNUy88+2hvvfJSeNc06P1s2bbZs6aOd3Z3tnXvbe5++2d1/tHfv0b298af3Hv7

    UR+lT6qdYZi2/OW/bVfPo7t3dh3vj3U8Pxgc7491HD3Z29u4Cub27xWx1t2mqu3U+K+p82n6UnlTLJkcP63r5qMqaonm0zBZ586i

    dPnp9/MXzR4TMo6k0erReNqt8WpwX+eyj9N2iXDaPeNCb317VVVtNq/Kjo8c8qFpe3fxS1jR5jUF9dIRB0ZjKapqV86pp72az8+Y

    ufX1ZTPPmbluvm/bxXQF9pLPwggCePX1ZlcX0On1W1YtswxB3iUj4hGbqnJuGAz0uy+rqpM6zNv/sI+ot/yi9e/T4bn+6j/4f>

    <Mar 26, 2010 10:23:32 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <can't unmarshall to a sa

    ml object.

    java.util.zip.DataFormatException: incorrect header check

            at java.util.zip.Inflater.inflateFast(Native Method)

            at java.util.zip.Inflater.inflateBytes(Inflater.java:360)

            at java.util.zip.Inflater.inflate(Inflater.java:218)

            at java.util.zip.Inflater.inflate(Inflater.java:235)

            at com.bea.security.saml2.binding.impl.BindingUtil.deflateDecode(BindingUtil.java:126)

            at com.bea.security.saml2.binding.impl.HttpRedirectBindingReceiver.getSamlObject(HttpRedirec

    tBindingReceiver.java:99)

            at com.bea.security.saml2.binding.impl.HttpRedirectBindingReceiver.receiveRequest(HttpRedire

    ctBindingReceiver.java:30)

            at com.bea.security.saml2.service.sso.SSOServiceProcessor.receive(SSOServiceProcessor.java:2

    95)

            at com.bea.security.saml2.service.sso.SSOServiceProcessor.processAuthnRequest(SSOServiceProc

    essor.java:118)

            at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:1

    00)

            at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImp

    l.java:50)

    Friday, March 26, 2010 2:35 PM

All replies

  • Here are the debug messages before sending to the IDP provider

     

    Creating EncodedWCtx with received request object type: Microsoft.IdentityServer.Web.MSISSignInRequestMessage

    Sending SAML request message AuthnRequest: Id='id-2a57bc63-73c4-4054-b3a7-dada3e71f7ad', NameIDPolicy='AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified SPNameQualifier: ', ForceAuthn='False', IsPassive='False' to 'https://192.168.80.1:7002/saml2/idp/sso/redirect' using protocol binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'

    Message before encoding: <samlp:AuthnRequest ID="id-2a57bc63-73c4-4054-b3a7-dada3e71f7ad" Version="2.0" IssueInstant="2010-03-26T18:29:50.000Z" Destination="https://192.168.80.1:7002/saml2/idp/sso/redirect" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost/adfs/services/trust</Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>

    Message after encoding: 7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9Ol638+Wr/Bet86ZNz55+9lEx297L7j+YTD+9t/3g3nR/e3/n/v725F72YHuWzbJ7+YPd8wfZ7KP0J/O6KarlZx/tjXc+Ss+aZp2fLZs2W7b00c7uzvbOve29T9/sHjzae/jo/s54Z2fnpz5Kn1I/xTJr+c15266aR3fv7j7cG+9+ejA+2BnvPnqws7N3F8jt3S1mq7tNU92t81lR59P2o/SkWjY5eljXy0dV1hTNo2W2yJtH7fTR6+Mvnj8iZB5NpdGj9bJZ5dPivMgJ3XeLctk84kFvfntVV201rcqPjh7zoGp5dfNLWdPkNQb10REGRWMqq2lWzqumvZvNzpu79PVlMc2bu229btrHdwX0kc7CCwJ49vRlVRbT6/RZVS+yDUPcJSLhE5qpc24aDvS4LKurkzrP2vyzj6i3/KP07tHju/3pPvp/AA==

     

    What encoding ADFS is using?

     

    Friday, March 26, 2010 6:44 PM
  • Here are the debug messages before sending to the IDP provider

     

    Creating EncodedWCtx with received request object type: Microsoft.IdentityServer.Web.MSISSignInRequestMessage

    Sending SAML request message AuthnRequest: Id='id-2a57bc63-73c4-4054-b3a7-dada3e71f7ad', NameIDPolicy='AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified SPNameQualifier: ', ForceAuthn='False', IsPassive='False' to 'https://192.168.80.1:7002/saml2/idp/sso/redirect' using protocol binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'

    Message before encoding: <samlp:AuthnRequest ID="id-2a57bc63-73c4-4054-b3a7-dada3e71f7ad" Version="2.0" IssueInstant="2010-03-26T18:29:50.000Z" Destination="https://192.168.80.1:7002/saml2/idp/sso/redirect" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost/adfs/services/trust</Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>

    Message after encoding: 7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9Ol638+Wr/Bet86ZNz55+9lEx297L7j+YTD+9t/3g3nR/e3/n/v725F72YHuWzbJ7+YPd8wfZ7KP0J/O6KarlZx/tjXc+Ss+aZp2fLZs2W7b00c7uzvbOve29T9/sHjzae/jo/s54Z2fnpz5Kn1I/xTJr+c15266aR3fv7j7cG+9+ejA+2BnvPnqws7N3F8jt3S1mq7tNU92t81lR59P2o/SkWjY5eljXy0dV1hTNo2W2yJtH7fTR6+Mvnj8iZB5NpdGj9bJZ5dPivMgJ3XeLctk84kFvfntVV201rcqPjh7zoGp5dfNLWdPkNQb10REGRWMqq2lWzqumvZvNzpu79PVlMc2bu229btrHdwX0kc7CCwJ49vRlVRbT6/RZVS+yDUPcJSLhE5qpc24aDvS4LKurkzrP2vyzj6i3/KP07tHju/3pPvp/AA==

     

    What encoding ADFS is using?

     

    Friday, March 26, 2010 6:44 PM
  • AD FS is not encrypting the request, it's compressing it.  The error seems to be that WebLogic is unable to decompress the message.  I can see your message just fine (https://192.168.80.1:7002/saml2/idp/sso/redirect is the IdP, and your AD FS is http://localhost/adfs/services/trust

    Some things you can try:

    1 - change the signature algorithm to be SHA-1 rather than SHA-256.  I don't know if WebLogic supports the stronger SHA-256 algorithm, and it may be unintentionally creating this scenario.  You can change this in the Advanced tab on the claims provider trusts properties dialog.

    2 - try using WebLogic's POST endpoint rather than its redirect endpoint.  POST does not compress the request and may avoid this issue.  You can change this in the Endpoints tab by adding a POST endpoint and setting it to be default.  You will need to check with

    3 - ensure your JRE is up-to-date with the latest patches

    Friday, March 26, 2010 6:45 PM
  • The encoding is to take the original XML, use the DEFLATE algorithm (RFC 1951, I think), then base64-encode the result.

    This is specified as the default binding in the SAMLBind specification for the HTTP-Redirect SAML binding.

    Friday, March 26, 2010 7:09 PM
  • Thank You. It worked with the post binding.

    THere are lot of postings on this forum about IDP initiated signon. Can The weblogic server (IDP here) post a saml response to https://site/adfs/ls ?

    Now it is failing in the trannsformation in the claims. Do we have to implement custom transformation engine?

    Here is the reponse

    <?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://192.168.80.128/adfs/ls/" ID="_0xe11052406925e81da2460a09a2e36d17" InResponseTo="id-d46101f2-66c8-4297-a0c0-b3a671ff9b42" IssueInstant="2010-03-26T20:32:24.603Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idpdomain</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

    <ds:SignedInfo>

    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

    <ds:Reference URI="#_0xe11052406925e81da2460a09a2e36d17">

    <ds:Transforms>

    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"/></ds:Transform>

    </ds:Transforms>

    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

    <ds:DigestValue>RsTfPto9ul9qz/PY/bVa/Dao+rtrYWGae1FKF1UwV7k=</ds:DigestValue>

    </ds:Reference>

    </ds:SignedInfo>

    <ds:SignatureValue>

    KhixAIPqZfXs6aW4d3J4Mt5/YpTw3LNmY+ohfR4laTvaXyr8uvbAFGK8P+s/g4UbJ+yyIU9X/j6k

    yimuI2HbbK6tgvxob+Nd84xVx6ghD07ZP0o/0XMq9bdQaOxU+6VW/3Xa7lSmGcM1/xV13PZjLoAf

    60qRuyPw1OX/8R6sXOU=

    </ds:SignatureValue>

    </ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0x17ad474657b778656533d6394e1f4212" IssueInstant="2010-03-26T20:32:24.463Z" Version="2.0"><saml:Issuer>idpdomain</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" NameQualifier="sourcesite.com">test1@ap.test.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="id-d46101f2-66c8-4297-a0c0-b3a671ff9b42" NotOnOrAfter="2010-03-26T20:34:19.463Z" Recipient="https://192.168.80.128/adfs/ls/"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2010-03-26T20:32:19.463Z" NotOnOrAfter="2010-03-26T20:34:19.463Z"><saml:AudienceRestriction><saml:Audience>http://localhost/adfs/services/trust</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2010-03-26T20:32:24.463Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

    Friday, March 26, 2010 8:46 PM
  • Yes, IdP-initiated sign on is supported.

    I assume this response is not an IdP-initiated sign on, since it has an InResponseTo attribute set. What do you mean by it is failing in the transformation in the claims?

    Are there any events in the event viewer that suggest a root cause?

    Friday, March 26, 2010 9:20 PM
  • The above response is not an IDP initiated. I am just asking a general question

    Here is the error event

    Source : Microsoft.IdentityModel 

    EventId : 8 

    Data : 

    <TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Error"><Description>Handled exception.</Description><AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain><Exception><ExceptionType>System.Security.Cryptography.CryptographicException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>ID6021: Unsupported transform algorithm.</Message><StackTrace>   at Microsoft.IdentityModel.Protocols.XmlSignature.TransformFactory.CreateTransform(String transformAlgorithmUri)

       at Microsoft.IdentityModel.Protocols.XmlSignature.TransformChain.ReadFrom(XmlDictionaryReader reader, TransformFactory transformFactory)

       at Microsoft.IdentityModel.Protocols.XmlSignature.Reference.ReadFrom(XmlDictionaryReader reader, TransformFactory transformFactory)

       at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.ReadFrom(XmlDictionaryReader reader, TransformFactory transformFactory)

       at Microsoft.IdentityModel.Protocols.XmlSignature.Signature.ReadFrom(XmlDictionaryReader reader)

       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ReadSignature()

       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.TryReadSignature()

       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonElements(XmlReader reader, SamlMessage message)

       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadResponse(XmlReader reader, NamespaceContext context)

       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)

       at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)

       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)

       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)

       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()

       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)

       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)

       at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)

       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)

       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)

       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)

       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)

       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginTrustFeb2005Issue(Message request, AsyncCallback callback, Object state)

       at AsyncInvokeBeginBeginTrustFeb2005Issue(Object , Object[] , AsyncCallback , Object )

       at System.ServiceModel.Dispatcher.AsyncMethodInvoker.InvokeBegin(Object instance, Object[] inputs, AsyncCallback callback, Object state)

       at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp;amp; rpc)

       at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp;amp; rpc)

       at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc&amp;amp; rpc)

       at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

       at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)

       at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)

       at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)

       at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)

       at System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)

       at System.ServiceModel.Dispatcher.MultipleReceiveBinder.HandleReceiveRequestComplete(IAsyncResult innerResult, Boolean completedSynchronously)

       at System.ServiceModel.Dispatcher.MultipleReceiveBinder.OnInnerReceiveCompleted(IAsyncResult nestedResult)

       at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)

       at System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)

       at System.ServiceModel.Channels.FramingDuplexSessionChannel.TryReceiveAsyncResult.OnReceive(IAsyncResult result)

       at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)

       at System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)

       at System.ServiceModel.Channels.SynchronizedMessageSource.SynchronizedAsyncResult`1.CompleteWithUnlock(Boolean synchronous, Exception exception)

       at System.ServiceModel.Channels.SynchronizedMessageSource.ReceiveAsyncResult.OnReceiveComplete(Object state)

       at System.ServiceModel.Channels.SessionConnectionReader.OnAsyncReadComplete(Object state)

       at System.ServiceModel.Channels.StreamConnection.OnRead(IAsyncResult result)

       at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)

       at System.Net.LazyAsyncResult.Complete(IntPtr userToken)

       at System.Net.LazyAsyncResult.ProtectedInvokeCallback(Object result, IntPtr userToken)

       at System.Net.Security.NegotiateStream.ProcessFrameBody(Int32 readBytes, Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.NegotiateStream.ReadCallback(AsyncProtocolRequest asyncRequest)

       at System.Net.FixedSizeReader.CheckCompletionBeforeNextRead(Int32 bytes)

       at System.Net.FixedSizeReader.ReadCallback(IAsyncResult transportResult)

       at System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)

       at System.ServiceModel.Channels.ConnectionStream.ReadAsyncResult.OnAsyncReadComplete(Object state)

       at System.ServiceModel.Channels.SocketConnection.FinishRead()

       at System.ServiceModel.Channels.SocketConnection.AsyncReadCallback(Boolean haveResult, Int32 error, Int32 bytesRead)

       at System.ServiceModel.Diagnostics.Utility.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)

       at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

    </StackTrace><ExceptionString>System.Security.Cryptography.CryptographicException: ID6021: Unsupported transform algorithm.</ExceptionString></Exception></TraceRecord> 

     

    ProcessId : 3740


    Friday, March 26, 2010 9:37 PM
  • and I am getting this in the browser

    An error occurred during processing of the request.

    MSIS7012: The request failed. Contact your administrator for details.

    Additional data: 0a277b83-5b52-487d-be33-6f3a38ebacd9 

    Friday, March 26, 2010 9:38 PM
  • Ah, OK - this is related to the XML signature in the response.

    WebLogic is using the  http://www.w3.org/2001/10/xml-exc-cl4n#WithComments canonicalization algorithm.  AD FS 2 supports the http://www.w3.org/2001/10/xml-exc-cl4n# algorithm.  Can you configure WebLogic to use this algorithm for canonicalization?

    Friday, March 26, 2010 11:47 PM
  • I will check  and let you know

    Is there any way to change that on ADFS side?

    Also, when the IDP initate the SSO and post the response to /adfs/ls , how does the ADFS forward the request to RP. Do we have to add any additional parmaters to foreward to a specific RP

    Thank You

    Saturday, March 27, 2010 12:09 AM
  • I will check  and let you know

    Is there any way to change that on ADFS side?

    Also, when the IDP initate the SSO and post the response to /adfs/ls , how does the ADFS forward the request to RP. Do we have to add any additional parmaters to foreward to a specific RP

    Thank You

    Saturday, March 27, 2010 12:09 AM
  • I will check  and let you know

    Is there any way to change that on ADFS side?

    Also, when the IDP initate the SSO and post the response to /adfs/ls , how does the ADFS forward the request to RP. Do we have to add any additional parmaters to foreward to a specific RP

    Thank You

    Saturday, March 27, 2010 12:09 AM
  • I will check  and let you know

    Is there any way to change that on ADFS side?

    Also, when the IDP initate the SSO and post the response to /adfs/ls , how does the ADFS forward the request to RP. Do we have to add any additional parmaters to foreward to a specific RP

    Thank You

    Saturday, March 27, 2010 12:09 AM
  • Is the canonicalization algorithm you talked about, Is that part of IDP or Service Provider setup?
    Saturday, March 27, 2010 12:13 AM
  • There's no way to configure AD FS to accept this canonicalization algorithm. I'll pass this feedback on to the product team.

    You should be able to configure WebLogic to use the regular xml-exc-c14n algorithm.  You may need to contact your vendor to learn how to change that setting.

    When you do IdP-initiated sign on to AD FS, there's no way to tell AD FS which RP to log in to.  The IdpInitiatedSignOn page will get rendered -- you can include custom logic to automatically sign the user in to a specific RP on that page.

    Saturday, March 27, 2010 3:03 AM
  • Do you have any list of IDP's on the java side compatible with ADFS 2.0 SAML 2.0 integration?

    Sibboleth, opensso - Are these compatible IDP's for ADFS. Will they have issues like weblogic?

    Saturday, March 27, 2010 3:55 AM
  • Hi,

     

    I'm currently integrating ADFS 2 with OpenSSO Express 9. It's not an easy ride at first but in the end it's all configuration adjurstments.

    Apart from these - be sure that you set the singing algorithm right at both ends - OpenSSO uses by default SHA1. You can  change that in OpenSSO or in ADFS 2 - management console.

     

    So I have 3 issues though to clear up still:

     

    1. the claims rules do not oob transform saml 2 claims a sent by OpenSSO. I'll try to get it done through the use of custom rules - if that is the issue...(I'm using SP 2010 behind ADFS....)

    2. Single log out triggers an error at openSSO  - signing algorithm not supported.

    3. As is mentioned here before - the signin page of ADFS by default shows AD. VERY annoying and unneeded since federated Web SSO is all about collaboration between security domains. Not sure if I keep ADFS because of this reason since my use case is just ESSO with OpenSSO and ADFS as SP for the MS domain.. So OpenSSO is just my IDP - and I need only one in the organization...

     

    I must admit that once again all the marketing talk has put me on the wrong track..since i believed that ADFS could act as a SP and be able to connect to any SAML2 IDP without the need for AD as IDP. Now I have to have my users select each time the right IDP from the ADFS page.

     

    Strange vendor lock-in this AD mandatory thing is.

     

     

    Cheers,

     

    Rob

     

     

    Sunday, March 28, 2010 4:31 PM
  • Hi Rob,

    Did you get any further with this since your last post?

    Regards,

    Mylo

    Wednesday, May 19, 2010 6:42 PM
  • Hi,

    I have noticed following error in the weblogic debugs posted by "ssurapan":

    -------------------------------------------------------------

    <BEA-000000> <can't unmarshall to a sa

    ml object.

    java.util.zip.DataFormatException: incorrect header check

            at java.util.zip.Inflater.inflateFast(Native Method)

            at java.util.zip.Inflater.inflateBytes(Inflater.java:360)

            at java.util.zip.Inflater.inflate(Inflater.java:218)

            at java.util.zip.Inflater.inflate(Inflater.java:235)

            at com.bea.security.saml2.binding.impl.BindingUtil.deflateDecode(BindingUtil.java:126)

            at com.bea.security.saml2.binding.impl.HttpRedirectBindingReceiver.getSamlObject(HttpRedirec

    tBindingReceiver.java:99)


    -------------------------------------------------------------


    I have come across  a similar issue where I had a weblogic based SP and OpenSSO IdP. The profile was SP initiated. WebLogic SP here deflated the AuthRequest using ZLIB (rfc 1950) and also did not make use of "SAMLEncoding" query parameter in the request GET URL to notify the IdP that it has used this technique for compressing request data. As per SAML 2 specs , IdP assumes that the request is DEFLATE encoded (RFC1951) when actually it is ZLIB (rfc 1950) and consequently the IdP rejects the request as invalid one.


    Symptoms are:
    -----------------

    1) At browser end:
    HTTP/1.1 500 Internal Server Error

    And the message as:
    The SAML Request is invalid.

    2) In the debug logs of IdP:

     ERROR: SAML2Utils.decodeFromRedirect: cannot inflate SAMLRequest:
    java.util.zip.DataFormatException: invalid stored block lengths
    at java.util.zip.Inflater.inflateFast(Native Method)
    at java.util.zip.Inflater.inflateBytes(Inflater.java:360)
    at java.util.zip.Inflater.inflate(Inflater.java:218)
    at java.util.zip.Inflater.inflate(Inflater.java:235)
    at com.sun.identity.saml2.common.SAML2Utils.decodeFromRedirect(SAML2Utils.java:1219)
    at com.sun.identity.saml2.profile.IDPSSOFederate.getAuthnRequest(IDPSSOFederate.java:725)


    Oracle is working on a fix. Workaround is to force weblogic to use HTTP POST BINDING SSO (by setting POST to preferred type and by making sure that POST binding figures ahead of REDIRECT in the IdP metadata while importing it at weblogic end during the configuration of IdP partner)

    Hope this helps to new comers!
    Cheers
    Tuesday, June 08, 2010 1:33 PM
  • @Rob

    If AD is appearing on your end user's IDP list similar to: https://sts1.dcpromo.com/adfs/ls/IdpInitiatedSignOn.aspx (similar URL and all) does that mean you added a SAML endpoint to ADFS\Trust Relationships\Relying Party Trust\Endpoints?  I think it may be possible for ADFS to do a protocol transition to convert your IdP's SAML to WS-Trust. 

    Either way, you may want to see  http://msdn.microsoft.com/en-us/library/ee895365.aspx and remove the LocalAuthHandlers in c:\inetub\adfs\ls\web.config and replace it with

    <authenticationTypes>
      <add name="IssuedTokenViaSelector" page="AutoLogon.aspx" />
      <add name="IssuedTokenViaPassive" page="HomeRealmDiscovery.aspx" />
    </authenticationTypes>

    I've never done it, but if an SP == Service Provider == RP == Relying Party then it could work.  Let me know if my thinking is correct because I'm new to SAML, and WS-trust.

     

    Monday, June 14, 2010 3:11 AM
  • Hi,

     

    i have come a lot further.... but i'm still stuck with the saml logout request of ADFS 2 to OpenSSO 9 Expressbuild 9. The RSA-SHA1 algorithm fails at opensso, log entry tells me that the signature computed by ADSF is not the same as the one calculated by OpenSSO.. the certificates are correct in both sides....i have verified these by checking the thumbprints and they match on both sides (adfs/opensso keystores).

     

    I can't use somehow the RSA-SHA256 algortihm for logout with OpenSSO Express 9. Seems to be a bug since it is used successfully for the signin request/response exchanges between adfs 2 and opensso 9.

    Would you know any testsuite implementations of these algorithms so that i can verivy the signatures myself? It is impossible to tell who is failing here...

    as for the canonicalization algorithm - they match by default. So that should not be the problem and if it would then signing would be failing as well and that's no the case.

     

    Any help is appreciated.

     

    Rob

     

     

     

    Thursday, July 01, 2010 2:55 PM
  • Hi Rob,

    I know that the thread is a little bit old, and maybe you have solved your issues, but just in case...

    My scenario is a little bit different, ADFS as IdP and Weblogic as SP, but the issues are quite similar. Actually I faced the same signature problem. You have to ensure that  both sides are using the same algorithm for the signature. In ADFS2 you can define it, at least for the Relying Parties. In OpenAM (OpenSSO) I do not remember, but I think so.

    Also check that you are building the SAMLRequest/SAMLResponse properly. You can check it in http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

    For signing/verifying, if you are using Java, you could follow this tutorial: http://docs.oracle.com/javase/tutorial/security/apisign/index.html

    Hope it helps,

    Luis

    Tuesday, December 06, 2011 8:06 AM
  • I think for logout, ADFS will encrypt Name ID with AES 256 bit.  Name ID is in use for logout.  This encryption strength is not easy to downgrade in ADFS, I think.  In Java only 128 bit is often supported by default. You need to either 1) Turn of encryption in ADFS using powershell or 2) Upgrade encryption strength on Java side using JCE.
    Tuesday, May 07, 2013 1:47 PM