1

I am trying to implement SSO for a service and using ADFS and PingFederate as IDP.

SSO works when I avoid signing the AuthRequest (both with ADFS and PingFederate), but fails with following error "SAML Message has wrong signature. Issuer: 'My SP entityID' " when AuthRequest is signed.

I had updated corresponding Relying trust part with certificate of my SP. I think, i am doing something wrong in the IDP configuration. Any help is appreciated.

I had tried this answer without any luck: MSIS0038: SAML Message has wrong signature - ADFS error

Community
  • 1
  • 1
user2586432
  • 249
  • 1
  • 4
  • 12
  • What SigAlg are you using in ADFS? It's been a while but I thought ADFS uses SHA256, which PF will support but you'll need to install the Unlimited Strength Java JCE Policy files. – Ian Mar 15 '16 at 20:46
  • On ADFS I had configured it to be SAH1. ( I am referring to Certificates under ADFS -> Service -> Certificates -> Token-decrypt | Token-Signing ). – user2586432 Mar 16 '16 at 04:58

1 Answers1

3

This error on ADFS is received when the AuthnRequest is signed but the SP's certificate configured is incorrect. Make sure that you have provided the correct certificate, go to Relying Party Properties > Signature tab. You should see the certificate provided by you. Verify the thumbprint to be sure.

Also, if you are sending the SAMLRequest as a query parameter (HTTP-Redirect binding), make sure you are using the SHA1 certificate for signing the AuthnRequest. Signing using the SHA256 certificate is not supported in HTTP-Redirect binding by ADFS.

nikhilahuja
  • 238
  • 2
  • 10
  • 1
    "Signing using the SHA256 certificate is not supported in HTTP-Redirect binding by ADFS." -- do you have a source for this? I'm running into the same issue and wonder if this could be the culprit, but I googled around and couldn't find anything. – Patricia Li Mar 23 '18 at 00:12
  • Hello @PatriciaLi, did you solve your problem? I have a similar problem https://stackoverflow.com/questions/49559023/saml-error-for-sso-with-adfs-msis0038-saml-message-has-wrong-signature/49679952?noredirect=1#comment86493589_49679952 – jerem Apr 10 '18 at 20:20
  • @jerem yes. in our case it was user error, because I asked the customer to send me a screenshot of the certificate under our relying party's Signature tab as a sanity check, and it was actually incorrect. SSO started working after he uploaded the correct one. I did, however, learn a fair bit in the process of trying to debug this... I'll leave as answer on your question because this comment box has a character limit >:( – Patricia Li Apr 11 '18 at 04:41