Akash Akash - 1 month ago 22
Java Question

Spring SAML Single Sign on ADFS Response failure because status message is null

I am trying to integrate single sign on for my web app with the help of Spring SAML extension and ADFS server, I was integrated 3 months before with the help of Spring SAML sample application, that time it works perfectly, but now it give me below exception


AuthNRequest;SUCCESS;111.11.11.111;https://my.domain.com:443/app/saml/metadata;http://myfedservicesserver.com/trustme;;;
AuthNResponse;FAILURE;111.11.11.111;https://my.domain.com:443/app/saml/metadata;http://myfedservicesserver.com/trustme;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)


SAML 2 and ADFS 3.0 IDP - SSO Invalid Status Code First time Login - But succeeds every time after

Issues while integrating ADFS with Spring SAML Extension

I gone through above links but it did not work for me, I changed and tried digital signature SHA-256 to SHA-1 in ADFS server but issue not resolved.

Answer Source

After struggled lots of days, I found my application working fine over the internet but not working in intranet environment, I checked ADFS server logs then I got below exception

Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS7098: The certificate identified by thumbprint '2312312213BKHDIIDHD783j3bsd' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

I have verified my application certificate it is CA trusted with valid validity, but issue still exist in intranet, I did not understand why ADFS server says it is not valid certificate and returned

urn:oasis:names:tc:SAML:2.0:status:Responder 

status code in response, then I disabled Signing Certificate trust check in ADFS server then its working fine for me, I don’t know this is valid solution or not but its worked for me.