Getting Error when connecting to ADFS Connection

rahul.bisht · December 11, 2019, 6:43am

I have configured ADFS connection with a client but when i am trying to login it is giving me error.

Signature is missing (xpath: /[local-name(.)=‘Assertion’]/[local-name(.)=‘Signature’ and namespace-uri(.)=‘XML-Signature Syntax and Processing’])",

can you please check

rahul.bisht · December 11, 2019, 7:22am

@jmangelo can you help me with this

jmangelo · December 11, 2019, 1:46pm

When using an ADFS connection the ADFS instance will response with a SAML assertion that will be processed by the Auth0 service; from the error message it seems that assertion is missing the signature, however, it would be better to confirm what is actually returned.

You should be able to use the browser network tools to see the HTTP responses after completing the login in ADFS; one of those responses should contain a SAML assertion so it may be useful to share it here after redacting personal information.

digital · January 21, 2020, 9:04am

Hello! I am having the exact same problem and the ADFS server does not send back any signature.

However it does not send an assertion either. It sends back a <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"> which seems just fine.

Is there any configuration I should modify to have it working ?

Thanks

jmangelo · January 21, 2020, 1:46pm

Usually within that response a SAML assertion (security token) would be present; what’s the contents of that response? Can you share a redacted version?

digital · January 21, 2020, 2:02pm

The content of what is sent to our callback ( https://ourdomain.eu.auth0.com/login/callback?connection=cnx) as Form data looks like :

<?xml version="1.0" encoding="UTF-8"?>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
   <t:Lifetime>
      <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2020-01-21T08:34:53.375Z</wsu:Created>
      <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2020-01-21T09:34:53.375Z</wsu:Expires>
   </t:Lifetime>
   <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
         <wsa:Address>urn:auth0:digital-mediameeting</wsa:Address>
      </wsa:EndpointReference>
   </wsp:AppliesTo>
   <t:RequestedSecurityToken>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
               <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
               </e:EncryptionMethod>
               <KeyInfo>
                  <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                     <X509Data>
                        <X509IssuerSerial>
                           <X509IssuerName>CN=digital-mediameeting.eu.auth0.com</X509IssuerName>
                           <X509SerialNumber>2152784060097880944993</X509SerialNumber>
                        </X509IssuerSerial>
                     </X509Data>
                  </o:SecurityTokenReference>
               </KeyInfo>
               <e:CipherData>
                  <e:CipherValue>XXXX</e:CipherValue>
               </e:CipherData>
            </e:EncryptedKey>
         </KeyInfo>
         <xenc:CipherData>
            <xenc:CipherValue>XXXXXX</xenc:CipherValue>
         </xenc:CipherData>
      </xenc:EncryptedData>
   </t:RequestedSecurityToken>
   <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
   <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
   <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>

jmangelo · January 21, 2020, 2:21pm

Per (Connect Your App to ADFS) of our reference documentation we seem to instruct not to use encryption when configuring an ADFS connection and that response contains an encrypted security token. I confess I’m unsure if the reference docs are just a default option or if encryption is not supported at all for this connection type.

A possible test would be to configure ADFS to not send an encrypted response and see if the outcome changes.

digital · January 21, 2020, 2:29pm

OK, thanks for the quick reply. I will try to reconfigure the ADFS without encryption.

rahul.bisht · October 29, 2020, 1:20pm

Can we enable encryption for ADFS connection

jmangelo · October 29, 2020, 4:32pm

I confess I’m not sure if the ADFS connection supports encryption and I don’t have a readily available environment to try to test this. However, what I can say is if you have an ADFS instance and strictly need encryption of the returned assumptions you can always consider to use a SAML connection to integrate with the ADFS instance as encryption would be supported for SAML connections.