question

dSiz-1320 avatar image
0 Votes"
dSiz-1320 asked ·

ADFS Adjusting MetaData to remove client-request-id

Hi All,

Have an ADFS server setup for various connections. All SAML configs work while connecting directly to ADFS. We are trying to set up a WAP to secure our network a bit more and to force Forms Based Authentication to external users.

During testing, there is 1 SAML trust that does not work through the WAP and came to the conclusion with the vendor that the issue is when going through the WAP the SAML POST adds an extra parameter called "client-request-id" which the SP doesn't accept and therefore fails.

They are saying that the fix needs to be applied from the ADFS side, but I am unable to find anything that is public knowledge that will allow this change?

Lastly, they are deploying a code fix in the future that will accept the client-request-id but at this time no ETA. Also for knowledge, the vendor is Cisco :D, and the issue is with VPN ( AnyConnect ) through ASA.


Thank you,
Daniel

adfs
· 3
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi! I am not aware of this issue. Do you have a trace you can share?

0 Votes 0 ·

Hello! Here are a few other links for reference that I ran across my research
1. Same issue, but different SP and the SP had performed fix on their end (adfs-2019-clientrequestid-query-string-parameter-on-authorize-request-oauth2)
2. Link that explains that a WAP passes extra query string. If you search client-request-id on that page you will find it (https://journeyofthegeek.com/tag/adfs/)
3. Link to the Cisco ASA bug report that mentions that if the IDP provides an extra query string for the SAML Assertion then it will fail (CSCvw53427 Cisco Bug repot)





0 Votes 0 ·

I have reached out to Cisco and I mentioned that bug and they said that yes that is the issue, and they are working on a new ASA version that will fix the problem but with no ETA. But originally were pushing for me to fix the issue on ADFS, but I don't think there is any way to adjust ADFS to cancel sending that 2nd query statement when going through a WAP.

0 Votes 0 ·

1 Answer

dSiz-1320 avatar image
1 Vote"
dSiz-1320 answered ·

Doesn't seem like there is a way to have resolved this from ADFS side. Cisco was able to update the code for the ASA that had resolved the issue, and everything is working now.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.