SAML authentication fails with error MSIS7075

Question

Windows Server 2012 R2

ADFS relying party: RPIdentifier

SAML Endpoints: https://myhost.domain/adfs/ls and https://10.2.0.225/saml bound to POST

Encryption: The self-signed certificate used for ADFS is imported in the IIS Manager and is used by the service provider to submit the SAML request

Authentication Policies: Enabled both Form and Certificate Authentication

ADFS Service account: service running with an account which is member of the following groups

• Administrators
• Domain Admins
• Domain Controllers
• Domain Users
• Enterprise Admins
• Group Policy Creator Owners
• Schema Admins
• Windows Authorization Access Group

The service provider requests a SAML authentication:

<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_eee714b37b1be43404ba" Version="2.0" IssueInstant="2016-08-09T16:02:21.274Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://10.2.0.225/saml" Destination="https://myhost.domain/adfs/ls">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">RPIdentifier</saml:Issuer>
    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

The login page appears but as soon as the correct credentials are inserted and submitted an error page appears containing the text:

An error occurred. Contact your administrator for more information.

On the ADFS server the following error appears in the Event Viewer:

MSIS7075: SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations

I took a look here ( paragraph 4.1.4.1 ) and then checked the XML request but I couldn't find any "SubjectConfirmations" tag which is good according to what is specified by the standard.

How can I figure out what is the root cause of the problem ?

Answer 1

It looks like signedsamlrequests=true is configured but you are not sending a signed SAML request to AD FS.

When you run below command does it return TRUE?

(get-adfsproperties).signedsamlrequestsrequired

If yes, then use below command to turn it off and test again.

set-adfsproperties -signedsamlrequestsrequired $false

Ideally you should configure RPIdentifier app to send signed requests and then configure the RP trust with details of the certificate used by RPIdentifier to sign requests.

P.S. Your AD FS service account should not be privileged and need not be. Just a normal user account in AD will suffice. No need to be a member of any group other than domain users.

Remove the service account's membership from

•Administrators •Domain Admins •Domain Controllers •Enterprise Admins •Group Policy Creator Owners •Schema Admins

Your RP identifier only really needs to know about the token signing certificate used by AD FS. I am not sure what you meant by "Encryption". If the token signing cert is changed (by auto cert rollover or otherwise) you need to update RP identifier side with details of the new token signing cert from AD FS. Similarly if the RPIdentifier side certs change, the RP trust on AD FS must be updated.

If your app expects AD FS to send assertions encrypted then the RPIdentifier needs to supply a cert to be used for encryption. This will be configured on the RP trust at the AD FS side. Note the cert is provided by RPIdentifier.