Auth0 Home Blog Docs

Getting Error when connecting to ADFS Connection

I have configured ADFS connection with a client but when i am trying to login it is giving me error.

Signature is missing (xpath: /[local-name(.)=‘Assertion’]/[local-name(.)=‘Signature’ and namespace-uri(.)=‘http://www.w3.org/2000/09/xmldsig#’])",

can you please check

@jmangelo can you help me with this

When using an ADFS connection the ADFS instance will response with a SAML assertion that will be processed by the Auth0 service; from the error message it seems that assertion is missing the signature, however, it would be better to confirm what is actually returned.

You should be able to use the browser network tools to see the HTTP responses after completing the login in ADFS; one of those responses should contain a SAML assertion so it may be useful to share it here after redacting personal information.

Hello! I am having the exact same problem and the ADFS server does not send back any signature.

However it does not send an assertion either. It sends back a <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"> which seems just fine.

Is there any configuration I should modify to have it working ?

Thanks

Usually within that response a SAML assertion (security token) would be present; what’s the contents of that response? Can you share a redacted version?

The content of what is sent to our callback ( https://ourdomain.eu.auth0.com/login/callback?connection=cnx) as Form data looks like :

<?xml version="1.0" encoding="UTF-8"?>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
   <t:Lifetime>
      <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2020-01-21T08:34:53.375Z</wsu:Created>
      <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2020-01-21T09:34:53.375Z</wsu:Expires>
   </t:Lifetime>
   <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
         <wsa:Address>urn:auth0:digital-mediameeting</wsa:Address>
      </wsa:EndpointReference>
   </wsp:AppliesTo>
   <t:RequestedSecurityToken>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
               <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
               </e:EncryptionMethod>
               <KeyInfo>
                  <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                     <X509Data>
                        <X509IssuerSerial>
                           <X509IssuerName>CN=digital-mediameeting.eu.auth0.com</X509IssuerName>
                           <X509SerialNumber>2152784060097880944993</X509SerialNumber>
                        </X509IssuerSerial>
                     </X509Data>
                  </o:SecurityTokenReference>
               </KeyInfo>
               <e:CipherData>
                  <e:CipherValue>XXXX</e:CipherValue>
               </e:CipherData>
            </e:EncryptedKey>
         </KeyInfo>
         <xenc:CipherData>
            <xenc:CipherValue>XXXXXX</xenc:CipherValue>
         </xenc:CipherData>
      </xenc:EncryptedData>
   </t:RequestedSecurityToken>
   <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
   <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
   <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>

Per (https://auth0.com/docs/connections/enterprise/adfs#manual-setup) of our reference documentation we seem to instruct not to use encryption when configuring an ADFS connection and that response contains an encrypted security token. I confess I’m unsure if the reference docs are just a default option or if encryption is not supported at all for this connection type.

A possible test would be to configure ADFS to not send an encrypted response and see if the outcome changes.

1 Like

OK, thanks for the quick reply. I will try to reconfigure the ADFS without encryption.