1,305 questions
Doesn't seem like there is a way to have resolved this from ADFS side. Cisco was able to update the code for the ASA that had resolved the issue, and everything is working now.
ADFS Adjusting MetaData to remove client-request-id
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 26%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
dSiz
101
Reputation points
Hi All,
Have an ADFS server setup for various connections. All SAML configs work while connecting directly to ADFS. We are trying to set up a WAP to secure our network a bit more and to force Forms Based Authentication to external users.
During testing, there is 1 SAML trust that does not work through the WAP and came to the conclusion with the vendor that the issue is when going through the WAP the SAML POST adds an extra parameter called "client-request-id" which the SP doesn't accept and therefore fails.
They are saying that the fix needs to be applied from the ADFS side, but I am unable to find anything that is public knowledge that will allow this change?
Lastly, they are deploying a code fix in the future that will accept the client-request-id but at this time no ETA. Also for knowledge, the vendor is Cisco :D, and the issue is with VPN ( AnyConnect ) through ASA.
Thank you,
Daniel
Microsoft Security | Active Directory Federation Services
{count} votes
-
Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee2021-03-02T17:54:01.62+00:00 Hi! I am not aware of this issue. Do you have a trace you can share?
-
dSiz 101 Reputation points
2021-03-02T18:04:25.627+00:00 Hello! Here are a few other links for reference that I ran across my research
- Same issue, but different SP and the SP had performed fix on their end (adfs-2019-clientrequestid-query-string-parameter-on-authorize-request-oauth2)
- Link that explains that a WAP passes extra query string. If you search client-request-id on that page you will find it (https://journeyofthegeek.com/tag/adfs/)
- Link to the Cisco ASA bug report that mentions that if the IDP provides an extra query string for the SAML Assertion then it will fail (CSCvw53427 Cisco Bug repot)
-
dSiz 101 Reputation points
2021-03-02T18:04:42.87+00:00 I have reached out to Cisco and I mentioned that bug and they said that yes that is the issue, and they are working on a new ASA version that will fix the problem but with no ETA. But originally were pushing for me to fix the issue on ADFS, but I don't think there is any way to adjust ADFS to cancel sending that 2nd query statement when going through a WAP.
Sign in to comment