AD FS 2.0: The Admin Event Log Contains Error Event 320. "MSIS1010: Signed SAML message must have Destination URI specified."

Symptoms

The following event is logged in the AD FS 2.0/Admin event log:

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          6/15/2011 6:06:40 PM
Event ID:      320
Task Category: None
Level:         Error
Keywords:      AD FS
User:          S-1-5-21-1649024403-837180741-839522115-31657
Computer:      ADFS
Description:
The verification of the SAML message signature failed.
**Message issuer: http://sso.contoso.com/SSO/
**Exception details:
MSIS1010: Signed SAML message must have Destination URI specified.

This request failed.

User Action
Verify that the message issuer configuration in the AD FS configuration database is up to date.
Configure the signing certificate for the specified issuer.
Verify that the issuer's certificate is up to date.
Verify the issuer and server message signing requirements.

Cause

A Relying Party Trust is sending a SAML 2.0 SamlRequest which is digitally signed, but the SamlRequest does not contain the required Destination URI

From SAML 2.0 specification, SAMLBind:

3.4.5.2 Security Considerations

The presence of the user agent intermediary means that the requester and responder cannot rely on the

transport layer for end-end authentication, integrity and confidentiality. URL-encoded messages MAY be

signed to provide origin authentication and integrity if the encoding method specifies a means for signing.

If the message is signed, the Destination XML attribute in the root SAML element of the protocol

message MUST contain the URL to which the sender has instructed the user agent to deliver the

message. The recipient MUST then verify that the value matches the location at which the message has

been received.

Resolution

The Relying Party Trust, identified in the event by Message issuer, must be configured to either send the Destination URI with the SamlRequest or be configured to not digitally sign the SamlRequest.