This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 27%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEM%3C/text%3E%3C/svg%3E)
Hi,
I have configured my ADFS to send a signature in the Response message.
I have set my relying party like this (see below)
The authentication works fine and I can log into my SP.
However, the Response message doesn't contain the Signature block.
I tried with keyclock and it woks fine, I can see the Signature block in the Response message.
When I setup my SP to require a response signature, obviously I get an error since I don't have the block in the Reponse message.
What is the correct ADFS configuration to get the Signature block sent in the Response message please ?
Thanks for your help, it's driving me crazy.
PS C:\Users\user01> Get-AdfsRelyingPartyTrust -name "XXXX"
AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : None
PublishedThroughProxy : False
SigningCertificateRevocationCheck : None
WSFedEndpoint :
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {}
ClaimsAccepted : {}
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : YYYY
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : 731cfe19-5fe3-eb11-9afb-0050568f44bf
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {[Subject]
CN=ZZZZ, OU=adfsClient, O=TTTT, L=Paris, S=France, C=FR
[Issuer]
CN=ZZZZ, OU=adfsClient, O=TTTT, L=Paris, S=France, C=FR
[Serial Number]
44ECB0E72927002223D1E196D1019C7A6A4650C6
[Not Before]
20/07/2021 16:13:13
[Not After]
20/07/2022 16:13:13
[Thumbprint]
C52F394C2415805A889E767398165BB087125805
}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
SamlResponseSignature : MessageOnly
SignatureAlgorithm : http://www.w3.org/2000/09/xmldsig#rsa-sha1
TokenLifetime : 0
AllowedClientTypes : Public, Confidential
IssueOAuthRefreshTokensTo : AllDevices
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
ScopeGroupIdentifier :
DeviceAuthenticationMethod :
Name : XXXX
AutoUpdateEnabled : False
MonitoringEnabled : False
MetadataUrl :
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules :
IssuanceTransformRules : @RuleName = "Transform Domain User to User"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value,
"(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 01/01/1900 00:00:00
LastMonitoredTime : 01/01/1900 00:00:00
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName : Permit everyone
AccessControlPolicyParameters :
ResultantPolicy : RequireFreshAuthentication:False
IssuanceAuthorizationRules:
{
Permit everyone
}
I changed back the signatureAlgorith to sha256 instead of sha1.
Same result.
Still no Signature block in the Response message.
I just got :
<samlp:Response ID="_b553abf5-da78-43a5-a8fc-d62adcb64ba8"
Version="2.0"
IssueInstant="2021-07-20T17:55:30.434Z"
Destination="https://RRRRR:8081/platform-5.3.x/saml/sp/SSO/alias/continuity"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="ARQ3ef9427-e008-4b91-b023-3957c3737414"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://QQQQQ/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_c63056ec-28af-4d55-9732-567dfba0b1b8"
IssueInstant="2021-07-20T17:55:30.434Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>
<Issuer>http://QQQQQ/adfs/services/trust</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user01</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ARQ3ef9427-e008-4b91-b023-3957c3737414"
NotOnOrAfter="2021-07-20T18:00:30.434Z"
Recipient="https://RRRR:8081/platform-5.3.x/saml/sp/SSO/alias/continuity"
/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2021-07-20T17:55:30.434Z"
NotOnOrAfter="2021-07-20T18:55:30.434Z"
>
<AudienceRestriction>
<Audience>https://RRRR:8081/platform-5.3.x</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2021-07-20T17:55:30.231Z"
SessionIndex="_c63056ec-28af-4d55-9732-567dfba0b1b8"
>
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Your current setting is:
SamlResponseSignature : MessageOnly
Your token should look like this:
<samlp:Response ID="_501c00d5-0448-4cd9-a53b-3e215ae8364d" Version="2.0" IssueInstant="2021-07-21T01:10:19.093Z" Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sts.piesec.ca/adfs/services/trust
</Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_501c00d5-0448-4cd9-a53b-3e215ae8364d">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>468jLaLACn76HmOmmT+Hmk7eYauelXjBAOfbvpATJeE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Lfb8xVVAJSp8RvZXCgl5PEEgEMABE+nPC0OiTCHKYjrKWb/Wv0mwl7VREHQKsuyYkaWLKFOfKiAfplm3mnifkb3gzQUL5eQ50OTmQZPoVh0ek+l0HIVyKgvgnRafVaSggd3VXHYqEVBQ8TyZj+8aWtWgb6lTBqQWlhjts+hIQrSp6+JyAywY97RadjzEjvspG+6tq3opiFnKovvGEYzSRlalalalafAxOc9b8oREQfKPfTiEcpQQ50VlDZPe4c2uJLxP/G5ToqevL03vkPGiN/x2gnegQfyPPOQILYinkEKAEJZKRaZYRm6if1KLoollLFP+YNgr5v1ioViq8fccPRUIQ==</ds:SignatureValue>
<KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC1jCCAb.....</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_225d93ca-25c6-46cc-9034-8e4896892589" IssueInstant="2021-07-21T01:10:19.092Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://sts.piesec.ca/adfs/services/trust</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">administrator@piesec.ca</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2021-07-21T01:15:19.093Z" Recipient="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2021-07-21T01:10:19.092Z" NotOnOrAfter="2021-07-21T02:10:19.092Z">
<AudienceRestriction>
<Audience>urn:microsoft:adfs:claimsxray</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2021-07-21T01:10:18.968Z" SessionIndex="_225d93ca-25c6-46cc-9034-8e4896892589">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
If you set it to AssertionOnly, it will look like this:
<?xml version="1.0" encoding="utf-16"?>
<samlp:Response ID="_e28208da-046b-4a8a-aac3-d39b89d8a40e" Version="2.0" IssueInstant="2021-07-21T01:12:37.148Z" Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sts.piesec.ca/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_091af701-b78c-4486-9da6-a59bd3f03df9" IssueInstant="2021-07-21T01:12:37.148Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://sts.piesec.ca/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_091af701-b78c-4486-9da6-a59bd3f03df9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>lTXjO3tFhSooIiNkcIk3zvUzSvvZLoH8bxaMx/yLIXE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SONPW4T9bK5as5vlalalala7dbLYECjSlNwwLT7/q4g+Mr+mPydZ5QpuHMf1lU9QGZk/ZfpwVCCJ1q5/7B+n1KQSv3IHR+5hiH28oOtim5fBvLpYQNB24BVySGO9Veip3w54EKIRAIjWXCi/qpcKWK9Ehcv3N76BmNk5rhTDYh3lZ2py09h0mIH+R6RsrRPWc1j6g9LKAyOZXJi2SfqJfFh1SzC9qVkntnQx4bJ3XtuPJa34I+F7eqMNZYJxNf3N6dM3WisukLhtPeVPwdKGH9XAYZwHB6gJpmlc1gnQXjKLtABYLEas+fqrtd+zZkC+wDORJXBRrx94vj7JbCbVfZPT5w==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC1jCCAb....</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">administrator@piesec.ca</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2021-07-21T01:17:37.148Z" Recipient="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2021-07-21T01:12:37.147Z" NotOnOrAfter="2021-07-21T02:12:37.147Z">
<AudienceRestriction>
<Audience>urn:microsoft:adfs:claimsxray</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2021-07-21T01:12:37.040Z" SessionIndex="_091af701-b78c-4486-9da6-a59bd3f03df9">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
And if you set it with MessageAndAssertion it will look like this:
<?xml version="1.0" encoding="utf-16"?>
<samlp:Response ID="_abd169b5-1db5-4448-9334-5b1964ba500a" Version="2.0" IssueInstant="2021-07-21T01:14:20.961Z" Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sts.piesec.ca/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_abd169b5-1db5-4448-9334-5b1964ba500a">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>rfGjlXiUiQ4dMiH+OcjevAFrcQ8wvs5CSvhMJniU4Jw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ijHl1KoBuQFB+PWmwgKPzm1IneIhpgZWxRf4NEHyZwhhq0KW+HrnFBb/ruYHBngsz1wN3vpnqRGD45+75BX8ShiFXx+1J+u/HpO5b8Q2kXghCwkDhE1fjvNC8vpq1VfZdOoM1IPSuzZ6886/dOHq1FqmwfjLk6nDcYFmTa22ksQLs88e2Pz1Dth0F8/+c85K+KjMRTsIAi1UlLfNV0jVjIgjDVDxlLJGm0TQmFGZMvFXVlkR7Dmq9/DlvUmC1B2htiyRhcL92FPFBm6l1ZgFYyk/x2MmJZuUSJpkRp0PMvjZT4Dn3th4LbENAuTQTAz9AC8FHtNfXqrRMWEmOLxEBQ==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC1jCCAb6gA....</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_5d0838b5-7f5e-4e3c-aac9-eba6f5048813" IssueInstant="2021-07-21T01:14:20.959Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://sts.piesec.ca/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_5d0838b5-7f5e-4e3c-aac9-eba6f5048813">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>aEwUzRFwmjoUm0TAvOurfE8N/EVFXgb6kYfWizTiDyQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>N34C0GMoW3bdb6SgTghoseu6tHOt+R/lalallalala/vefRP/BxS0YsOusZD5ZPWMOP4hr1moc/YnAFYhnxilaz+ktDiCB2IYjL8K3gKHYYv6JU2wXj+XwQxGziyxq2RBdw6f3fmX4GmSO9NLikhs3vnn9FIK9K3Po8lGOlOqiDGUk+85Zq1T3L7g+a8vDTGxJIa4NH4wPvg0gwoLwHKF96PwhRD8rjPPdAHiiOJftrJK2PgC6lqxFF92bU5K82D13xTmw+W6jZM4kQhiKfcmByuJYhwAjYdwnnQE7TbwYoKdo235/Ug7q/cRePAyTKcMDITeviWVt4d5dBS6Q==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC1jCCAb6gAwIBA.....</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">administrator@piesec.ca</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2021-07-21T01:19:20.961Z" Recipient="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2021-07-21T01:14:20.959Z" NotOnOrAfter="2021-07-21T02:14:20.959Z">
<AudienceRestriction>
<Audience>urn:microsoft:adfs:claimsxray</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2021-07-21T01:14:20.875Z" SessionIndex="_5d0838b5-7f5e-4e3c-aac9-eba6f5048813">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
So I can't repro as I always have a signature block. Granted, not the same stuff which signed depending on the setting. How did you extract the token?