Shibboleth SP to ADFS 2.0 Client -SAML error during artifact resolution

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth SP to ADFS 2.0 Client -SAML error during artifact resolution

pohear
Hello,

We have a client who's ADFS is stating the following line as invalid in our SAML Request :

<ds:X509SubjectName>CN=*.company.com,OU=Domain Control Validated</ds:X509SubjectName>

In which Microsoft (client opened a ticket for them to investigate) is asking if we can remove the X509SubjectName from the SOAP message.

Unfortunately Shibboleth does not have any way of configuring it as far as I can tell, the signatures are actually created from a library called XMLToolingC (a C++ project), so both this library and Shibboleth would need changing in order to make the necessary changes to the signature to be configurable.

Looking at the XML signature specifications, it is entirely valid to include these elements in the XML signature, and as is generally the case with specifications, applications should be lenient in what receive and strict in what they send. I believe Shibboleth is behaving correctly here and that the problem is still with ADFS.

This is the error they see:

opensaml::BindingException
The system encountered an error at Thu April 15 12:43:03 2015
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
opensaml::BindingException at (https://client.company.com/Client_Test/Shibboleth.sso/SAML2/Artifact)
Identity provider returned a SAML error during artifact resolution.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Requester

From client's debug logs:



Has anyone else come across this issue before? Or knows of a way to remove the <ds:X509SubjectName> in shibboleth?

Any suggestions would be welcomed we have been stuck on this for months.