ADFS 2.0 Not handling 'Extension' tag in SAML AuthnRequest - Throwing Exception MSIS7015 -

-

we have adfs 2.0 hotfix 2 rollup installed , working identity provider several external relying parties using saml authentication. week attempted add new relying party, however, when client presents authentication request new party, adfs returns error page reference number , not prompt client credentials.

i checked server adfs 2.0 event log reference number, not present (searching correlation id column). enabled adfs trace log, re-executed authentication attempt , message presented:

failed process web request because request not valid. cannot protocol message http query. following errors occurred when trying parse incoming http request:  microsoft.identityserver.protocols.saml.httpsamlmessageexception: msis7015: request not contain expected protocol message or incorrect protocol parameters found according http saml protocol bindings. @ microsoft.identityserver.web.httpsamlmessagefactory.createmessage(httpcontext httpcontext) @ microsoft.identityserver.web.federationpassivecontext.ensurecurrent(httpcontext context)

as message indicates request not formed, went ahead , ran request through xmlsectool , validated against saml protocol xsd (http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd) , came clean:

c:\users\ebennett\desktop\xmlsectool-1.2.0>xmlsectool.bat --validateschema --infile metaauth_kld_request.xml --schemadirectory . --verbose info  xmlsectool - reading xml document file 'metaauth_kld_request.xml' debug xmlsectool - building dom parser debug xmlsectool - parsing xml input stream info  xmlsectool - xml document parsed , well-formed. debug xmlsectool - building w3 xml schema file/directory 'c:\users\ebennett\desktop\xmlsectool-1.2.0\.' debug xmlsectool - schema validating xml document info  xmlsectool - xml document schema valid

so, i'm thinking adfs isn't playing full compliance saml specification. verify, manually examined submitted authnrequest, , discovered our vendor making use of 'extensions' element embed custom properties (which valid, according saml specification) (note: "ns33" below correctly namspaces "urn:oasis:names:tc:saml:2.0:protocol" elsewhere in request)

  <ns33:extensions>     <vendor_ns:fedid xmlns:vendor_ns="urn:vendor.name.here" name="fedid" value="http://idmfederation.vendorname.org"/>   </ns33:extensions>

if remove previous element authnrequest , resubmit adfs, goes swimmingly. and, in fact, can leave 'extensions' container , edit out vendor namespaced element, , adfs succeeds.

now, guess have 3 questions:

  1. why reference number not logged adfs log? have helped debugging efforts
  2. is known issue adfs's saml handler cannot handle custom elements defined within extensions element, , if so, there way add support (or @ least not crash while handling it)? vendor has offered change saml authnrequest generated omit tag, said 'may take time'-- , know means...
  3. does think installing adfs hotfix rollup 3 address situation? didn't see in doc indicate affirmative.

thanks feedback.


Comments

Post a Comment

Popular posts from this blog

Java 3D LWJGL collision -

-
i making 3d java game lwjgl library, , wondering how add collision detection, player not go through models. i using obj models. here objloader class, loads models: package renderengine; import java.io.bufferedreader; import java.io.file; import java.io.filenotfoundexception; import java.io.filereader; import java.util.arraylist; import java.util.list; import models.rawmodel; import org.lwjgl.util.vector.vector2f; import org.lwjgl.util.vector.vector3f; public class objloader { public static rawmodel loadobjmodel(string filename, loader loader){ filereader fr = null; try { fr = new filereader(new file("res/"+filename+".obj")); } catch (filenotfoundexception e) { system.err.println("couldn't load file!"); e.printstacktrace(); } bufferedreader reader = new bufferedreader(fr); string line; list<vector3f> vertices = new arraylist<vector3f...
Read more

spring - SubProtocolWebSocketHandler - No handlers -

-
i have ugly error during deploying spring app on jboss. 18:11:16,025 error [org.apache.catalina.core.containerbase.[jboss.web].[default-host].[/consumer]] (msc service thread 1-7) exception sending context initialized event listener instance of class org.springframework.web.context.contextloaderlistener: org.springframework.context.applicationcontextexception: failed start bean 'subprotocolwebsockethandler'; nested exception java.lang.illegalargumentexception: no handlers @ org.springframework.context.support.defaultlifecycleprocessor.dostart(defaultlifecycleprocessor.java:176) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor.access$200(defaultlifecycleprocessor.java:51) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor$lifecyclegroup.start(defaultlifecycleprocessor.java:346) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.s...
Read more

methods - python can't use function in submodule -

-
my folder structure this: pythonstuff/ program.py modulea/ __init__.py foo.py bar.py here's code bar.py : def hello(): print("hello, world!") here's code program.py : #!/usr/bin/env python3 modulea import bar bar.hello() i run $ python3 program.py somehow error: file "program.py", line 3, in <module> bar.hello() attributeerror: 'module' object has no attribute 'hello' edit: __init__.py file empty. edit2: after trying realized had bar.py in root directory contained hello() method. bar.py in modulea/ directory empty. add it import os __all__ = [] module in os.listdir(os.path.dirname(__file__)): if module != '__init__.py' , module[-3:] == '.py': __all__.append(module[:-3]) the init .py files required make python treat directories containing packages; done prevent directories common name, such string, unintentionally hiding v...
Read more