none
Custom STS & Azure ACS error ACS50008: Invalid SAML token.

    Question

  • Hi all,

    I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.

    • Error Code ACS20001: An error occurred while processing a WS-Federation sign-in response.
    • Error Code ACS50008: SAML token is invalid.

    I have searched through the forums but in my case I dont get any more detail on the error and do not know how to proceed and fix this.

    My STS is currently on beta and can be reached here: metadata .

    If anyone has any suggestions or wants to give it a try please contact me via email and I will open a demo login on my custom provider.

    note: The case is different from a similar question found here since my inner exception details do not suggest any reason.

    Thanks in advance,

    Constantinos


    Constantinos Leftheris. http://www.indice.gr




    • Edited by Indice Monday, February 13, 2012 1:25 PM
    Monday, February 13, 2012 1:12 PM

Answers

All replies

  • Does your STS work with any other RP's? Have you tried going directly from your STS to your app?

    The particular error you are receiving isn't very helpful because it could be caused by a few things. By the sounds of it the token received either has bad XML or it isn't signed, or it's missing a few key pieces. Can you run a test and show us the token as it crosses the wire using something like Fiddler?


    Developer Security MVP | www.syfuhs.net

    Monday, February 13, 2012 5:28 PM
  • Hi Steve,

    yes I have tried going directly with no problem using a sample client.

    I followed your advice and used fiddler to track the process.

    here is the post body to the acs:

    • wa : wsignin1.0
    • wctx: pr=wsfederation&rm=http%3a%2f%2flocalhost%3a6643%2f&ry=http%3a%2f%2flocalhost%3a6643%2fsyndesi&cx=http%3a%2f%2flocalhost%3a6643%2fsyndesi
    • wresult :
    <trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
      <trust:RequestSecurityTokenResponse Context="pr=wsfederation&amp;rm=http%3a%2f%2flocalhost%3a6643%2f&amp;ry=http%3a%2f%2flocalhost%3a6643%2fsyndesi&amp;cx=http%3a%2f%2flocalhost%3a6643%2fsyndesi">
        <trust:Lifetime>
          <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-02-13T18:14:17.081Z</wsu:Created>
          <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-02-13T19:14:17.081Z</wsu:Expires>
        </trust:Lifetime>
        <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
          <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://ecosense.accesscontrol.windows.net/</Address>
          </EndpointReference>
        </wsp:AppliesTo>
        <trust:RequestedSecurityToken>
          <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_5d8a3861-7125-481c-b81b-a39c22e0d1e3" Issuer="https://login.xo.gr/" IssueInstant="2012-02-13T18:14:17.144Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
            <saml:Conditions NotBefore="2012-02-13T18:14:17.081Z" NotOnOrAfter="2012-02-13T19:14:17.081Z">
              <saml:AudienceRestrictionCondition>
                <saml:Audience>https://ecosense.accesscontrol.windows.net/</saml:Audience>
              </saml:AudienceRestrictionCondition>
            </saml:Conditions>
            <saml:AttributeStatement>
              <saml:Subject>
                <saml:SubjectConfirmation>
                  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
              </saml:Subject>
              <saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                <saml:AttributeValue>sso@indice.gr</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute AttributeName="authentication" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                <saml:AttributeValue>Forms</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
                <saml:AttributeValue>Manager</saml:AttributeValue>
              </saml:Attribute>
            </saml:AttributeStatement>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_5d8a3861-7125-481c-b81b-a39c22e0d1e3">
                  <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                  <ds:DigestValue>kO91kO/L8.....</ds:DigestValue>
                </ds:Reference>
              </ds:SignedInfo>
              <ds:SignatureValue>re4NjNyuMf2.....</ds:SignatureValue>
              <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                  <X509Certificate>MIIFdTCCBF2gAw.....</X509Certificate>
                </X509Data>
              </KeyInfo>
            </ds:Signature>
          </saml:Assertion>
        </trust:RequestedSecurityToken>
        <trust:RequestedAttachedReference>
          <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_5d8a3861-....</o:KeyIdentifier>
          </o:SecurityTokenReference>
        </trust:RequestedAttachedReference>
        <trust:RequestedUnattachedReference>
          <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_5d8a3861-....</o:KeyIdentifier>
          </o:SecurityTokenReference>
        </trust:RequestedUnattachedReference>
        <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
        <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
        <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
      </trust:RequestSecurityTokenResponse>
    </trust:RequestSecurityTokenResponseCollection>


    Constantinos Leftheris. http://www.indice.gr


    • Edited by Indice Monday, February 13, 2012 6:48 PM
    Monday, February 13, 2012 6:37 PM
  • Hi,

    Please use fiddler to look into the response returned by ACS. Are you able to see other error description besides the ACS5008? Please post the response here.

    If there is no additional useful information one possible reason is the time of the client mismatches the time of ACS, namely NotBefore below is a time in future when looked by ACS.

     <saml:Conditions NotBefore="2012-02-13T18:14:17.081Z" NotOnOrAfter="2012-02-13T19:14:17.081Z">
    If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour, for instance.

    http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.securitytokenmessage.lifetime.aspx

    The timestamp in response can help you verify. At last, if you still cannot get it resolved you can contact our support and provide the TraceID (contained in response):

    http://www.windowsazure.com/en-us/support/contact/


    Allen Chen [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.




    Tuesday, February 14, 2012 9:23 AM
  • Hi thanks for your response,

    it seems you got a point so I checked all the dates and made the a small time shift there just in case. Unfortunately I still get the same error as before. Maybe I am missing something here so here is what I got this time:

    Here are all the dates:

    ResponseTimestamp ="2012-02-15 08:48:13Z"

    wsu:Created       ="2012-02-15T08:38:09.601Z"
    wsu:Expires       ="2012-02-15T09:48:09.601Z"
    IssueInstant      ="2012-02-15T08:48:09.663Z"
    NotBefore         ="2012-02-15T08:38:09.601Z"
    NotOnOrAfter      ="2012-02-15T09:48:09.601Z"

    The response with the json error:

    ACS_response:
    {
    "context":			"http://localhost:6643/syndesi",
    "httpReturnCode":	401,
    "identityProvider":	null,
    "timeStamp":		"2012-02-15 08:48:13Z",
    "traceId":			"ebd11dab-0673-442f-9f34-a51f4815abcb",
    "errors":			[{"errorCode":"ACS20001","errorMessage":"An error occurred while processing a WS-Federation sign-in response."},
     {"errorCode":"ACS50008","errorMessage":"SAML token is invalid."}]
    }


    The request:

    • wa : wsignin1.0
    • wctx: pr=wsfederation&rm=http%3a%2f%2flocalhost%3a6643%2f&ry=http%3a%2f%2flocalhost%3a6643%2fsyndesi&cx=http%3a%2f%2flocalhost%3a6643%2fsyndesi
    • wresult :
    <trust:requestsecuritytokenresponsecollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
      <trust:requestsecuritytokenresponse Context="pr=wsfederation&rm=http%3a%2f%2flocalhost%3a6643%2f&ry=http%3a%2f%2flocalhost%3a6643%2fsyndesi&cx=http%3a%2f%2flocalhost%3a6643%2fsyndesi">
        <trust:lifetime>
          <wsu:created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-02-15T08:38:09.601Z</wsu:created>
          <wsu:expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-02-15T09:48:09.601Z</wsu:expires>
        </trust:lifetime>
        <wsp:appliesto xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
          <endpointreference xmlns="http://www.w3.org/2005/08/addressing">
            
    https://ecosense.accesscontrol.windows.net/
    </endpointreference> </wsp:appliesto> <trust:requestedsecuritytoken> <saml:assertion AssertionID="_c84e5721-...." IssueInstant="2012-02-15T08:48:09.663Z" Issuer="https://login.xo.gr/" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:conditions NotBefore="2012-02-15T08:38:09.601Z" NotOnOrAfter="2012-02-15T09:48:09.601Z"> <saml:audiencerestrictioncondition> <saml:audience>https://ecosense.accesscontrol.windows.net/</saml:audience> </saml:audiencerestrictioncondition> </saml:conditions> <saml:attributestatement> <saml:subject> <saml:subjectconfirmation> <saml:confirmationmethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:confirmationmethod> </saml:subjectconfirmation> </saml:subject> <saml:attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> <saml:attributevalue>sso@indice.gr</saml:attributevalue> </saml:attribute> <saml:attribute AttributeName="authentication" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> <saml:attributevalue>Forms</saml:attributevalue> </saml:attribute> <saml:attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims"> <saml:attributevalue>Manager</saml:attributevalue> </saml:attribute> </saml:attributestatement> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:signedinfo> <ds:canonicalizationmethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:canonicalizationmethod> <ds:signaturemethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:signaturemethod> <ds:reference URI="#_c84e5721-...."> <ds:transforms> <ds:transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:transform> <ds:transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:transform> </ds:transforms> <ds:digestmethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:digestmethod> <ds:digestvalue>U970k1....</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue>fUMa36Fmr....</ds:signaturevalue> <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <x509data> <x509certificate>MIIFdTCCB....</x509certificate> </x509data> </keyinfo> </ds:signature> </saml:assertion> </trust:requestedsecuritytoken> <trust:requestedattachedreference> <o:securitytokenreference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <o:keyidentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_c84e5721-....</o:keyidentifier> </o:securitytokenreference> </trust:requestedattachedreference> <trust:requestedunattachedreference> <o:securitytokenreference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <o:keyidentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_c84e5721-....</o:keyidentifier> </o:securitytokenreference> </trust:requestedunattachedreference> <trust:tokentype>urn:oasis:names:tc:SAML:1.0:assertion</trust:tokentype> <trust:requesttype>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:requesttype> <trust:keytype>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:keytype> </trust:requestsecuritytokenresponse> </trust:requestsecuritytokenresponsecollection>

    Any thoughts?

    Thanks,

    C.


    Constantinos Leftheris. http://www.indice.gr


    • Edited by Indice Wednesday, February 15, 2012 9:38 AM
    Wednesday, February 15, 2012 9:09 AM
  • Working with Constantinos regarding this issue. It looks like the problem is with Issuer name ( Issuer="https://login.xo.gr/" ). Will post the final assessment of the issue once the issue is resolved.
    Wednesday, February 15, 2012 5:53 PM
  • Issue got resolved after modifying the issuer to https://login.xo.gr with out trailing slash in the end.
    Thursday, February 16, 2012 4:08 PM
  • Just to follow-up with a little more detail to help others.  ACS requires that the entity ID in FederationMetadata.xml match the Issuer Name in the wresult of the response to ACS

    FederationMetadata.xml:

    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_f75521f4-32b9-4f8b-9f75-e5ecb542b3ee" entityID="https://sts.local.contoso.com/">
    wresult:
    <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_628a736e-0449-45dd-b574-41569a792580" Issuer="https://sts.local.contoso.com/" IssueInstant="2014-03-04T19:43:53.309Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

    Tuesday, March 04, 2014 8:00 PM