ĐARK々MÁTTER
ĐARK々MÁTTER14mo ago

Getting `urn:oasis:names:tc:SAML:2.0:status:Responder` from ADFS when using SAML

One of our customers is using AD FS on their Microsoft Server 2016 and we are connecting zitadel SP to their IDP using SAML 2.0. In the callback response we are getting 
<samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
</samlp:Status>
<samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
</samlp:Status>
More about this error code: https://stackoverflow.com/questions/62680613/adfs-dont-pass-claims-from-ws-fed-response-from-claim-provider-to-outgoing-saml
Stack Overflow
ADFS don't pass claims from Ws-Fed response from Claim Provider to ...
In my environment there are an ADFS 4.0 and asp.net project with IdentityServer4 + WsFederation package as the Claim Provider. All RPs that using a Ws-Fed protocol work fine. But SAMLP RP, does not
6 Replies
ĐARK々MÁTTER
ĐARK々MÁTTEROP14mo ago
Event ID: 378 on the windows server 
SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1 

User Action: 
Verify that signature algorithm for the partner is configured as expected.
SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1 

User Action: 
Verify that signature algorithm for the partner is configured as expected.
@Zitadel Staff Please help me.
FFO
FFO14mo ago
Maybe @stebenz can lend a hand here
stebenz
stebenz14mo ago
@ĐARK々MÁTTER If I go off this error message, it seems that ADFS can only handle the SAMLRequest singed with RSA SHA1, do you know if the ADFS even needs a signed request? As I see it http://www.w3.org/2000/09/xmldsig#rsa-sha1 is used as default, so I'm wondering where this http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 comes from And when I read the answers in this post, for example https://stackoverflow.com/a/63631992, and understand it correctly could there be a configuration problem on the side of the ADFS?
stebenz
stebenz14mo ago
Related to this in combination with this post https://stackoverflow.com/a/42485067 it seems like that ADFS expects RSA SHA256 and can't handle the RSA SHA1
Stack Overflow
ADFS SAML request is not signed with expected signature algorithm
ADFS has unexpected behavior that looks like a bug. I have SP that is using SHA1 hash algorithm for digital signing. On ADFS for this SP I set on advanced tab to use SHA256. For me it is normal t...
stebenz
stebenz14mo ago
Seems like others have the same problem https://stackoverflow.com/a/71258347
Stack Overflow
MSIS7093: The message is not signed with expected signature algorit...
I have an ADFS that trusts a SP. I added the signature verification certificate for my relying party trust but I get the following error: MSIS7093: MSIS7093: The message is not signed with expected
ĐARK々MÁTTER
ĐARK々MÁTTEROP14mo ago
So in our ADFS the signing algorithm by default was sha-256. I have asked our IT team to use SHA1 and it works

Did you find this page helpful?