question

EmmanuelMESSEGUE-3569 avatar image
0 Votes"
EmmanuelMESSEGUE-3569 asked piaudonn edited

[ADFS][SAML][Response][Signature] ADFS doesn't send a signature block in the Response message

Hi,

I have configured my ADFS to send a signature in the Response message.
I have set my relying party like this (see below)
The authentication works fine and I can log into my SP.
However, the Response message doesn't contain the Signature block.

I tried with keyclock and it woks fine, I can see the Signature block in the Response message.

When I setup my SP to require a response signature, obviously I get an error since I don't have the block in the Reponse message.

What is the correct ADFS configuration to get the Signature block sent in the Response message please ?


Thanks for your help, it's driving me crazy.


 PS C:\Users\user01> Get-AdfsRelyingPartyTrust -name "XXXX"
    
    
 AllowedAuthenticationClassReferences : {}
 EncryptionCertificateRevocationCheck : None
 PublishedThroughProxy                : False
 SigningCertificateRevocationCheck    : None
 WSFedEndpoint                        : 
 AdditionalWSFedEndpoint              : {}
 ClaimsProviderName                   : {}
 ClaimsAccepted                       : {}
 EncryptClaims                        : True
 Enabled                              : True
 EncryptionCertificate                : 
 Identifier                           : YYYY
 NotBeforeSkew                        : 0
 EnableJWT                            : False
 AlwaysRequireAuthentication          : False
 Notes                                : 
 OrganizationInfo                     : 
 ObjectIdentifier                     : 731cfe19-5fe3-eb11-9afb-0050568f44bf
 ProxyEndpointMappings                : {}
 ProxyTrustedEndpoints                : {}
 ProtocolProfile                      : WsFed-SAML
 RequestSigningCertificate            : {[Subject]
                                          CN=ZZZZ, OU=adfsClient, O=TTTT, L=Paris, S=France, C=FR
                                           
                                        [Issuer]
                                          CN=ZZZZ, OU=adfsClient, O=TTTT, L=Paris, S=France, C=FR
                                           
                                        [Serial Number]
                                          44ECB0E72927002223D1E196D1019C7A6A4650C6
                                           
                                        [Not Before]
                                          20/07/2021 16:13:13
                                           
                                        [Not After]
                                          20/07/2022 16:13:13
                                           
                                        [Thumbprint]
                                          C52F394C2415805A889E767398165BB087125805
                                        }
 EncryptedNameIdRequired              : False
 SignedSamlRequestsRequired           : False
 SamlEndpoints                        : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
 SamlResponseSignature                : MessageOnly
 SignatureAlgorithm                   : http://www.w3.org/2000/09/xmldsig#rsa-sha1
 TokenLifetime                        : 0
 AllowedClientTypes                   : Public, Confidential
 IssueOAuthRefreshTokensTo            : AllDevices
 RefreshTokenProtectionEnabled        : True
 RequestMFAFromClaimsProviders        : False
 ScopeGroupId                         : 
 ScopeGroupIdentifier                 : 
 DeviceAuthenticationMethod           : 
 Name                                 : XXXX
 AutoUpdateEnabled                    : False
 MonitoringEnabled                    : False
 MetadataUrl                          : 
 ConflictWithPublishedPolicy          : False
 IssuanceAuthorizationRules           : 
 IssuanceTransformRules               : @RuleName = "Transform Domain User to User"
                                        c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
                                         => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, 
                                        "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = 
                                        "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
                                           
                                           
 DelegationAuthorizationRules         : 
 LastPublishedPolicyCheckSuccessful   : 
 LastUpdateTime                       : 01/01/1900 00:00:00
 LastMonitoredTime                    : 01/01/1900 00:00:00
 ImpersonationAuthorizationRules      : 
 AdditionalAuthenticationRules        : 
 AccessControlPolicyName              : Permit everyone
 AccessControlPolicyParameters        : 
 ResultantPolicy                      : RequireFreshAuthentication:False
                                        IssuanceAuthorizationRules:
                                        {
                                          Permit everyone
                                        }
adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EmmanuelMESSEGUE-3569 avatar image
0 Votes"
EmmanuelMESSEGUE-3569 answered piaudonn edited

I changed back the signatureAlgorith to sha256 instead of sha1.
Same result.
Still no Signature block in the Response message.
I just got :


 <samlp:Response ID="_b553abf5-da78-43a5-a8fc-d62adcb64ba8"
                 Version="2.0"
                 IssueInstant="2021-07-20T17:55:30.434Z"
                 Destination="https://RRRRR:8081/platform-5.3.x/saml/sp/SSO/alias/continuity"
                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                 InResponseTo="ARQ3ef9427-e008-4b91-b023-3957c3737414"
                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                 >
     <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://QQQQQ/adfs/services/trust</Issuer>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
     </samlp:Status>
     <Assertion ID="_c63056ec-28af-4d55-9732-567dfba0b1b8"
                IssueInstant="2021-07-20T17:55:30.434Z"
                Version="2.0"
                xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                >
         <Issuer>http://QQQQQ/adfs/services/trust</Issuer>
         <Subject>
             <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user01</NameID>
             <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                 <SubjectConfirmationData InResponseTo="ARQ3ef9427-e008-4b91-b023-3957c3737414"
                                          NotOnOrAfter="2021-07-20T18:00:30.434Z"
                                          Recipient="https://RRRR:8081/platform-5.3.x/saml/sp/SSO/alias/continuity"
                                          />
             </SubjectConfirmation>
         </Subject>
         <Conditions NotBefore="2021-07-20T17:55:30.434Z"
                     NotOnOrAfter="2021-07-20T18:55:30.434Z"
                     >
             <AudienceRestriction>
                 <Audience>https://RRRR:8081/platform-5.3.x</Audience>
             </AudienceRestriction>
         </Conditions>
         <AuthnStatement AuthnInstant="2021-07-20T17:55:30.231Z"
                         SessionIndex="_c63056ec-28af-4d55-9732-567dfba0b1b8"
                         >
             <AuthnContext>
                 <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
             </AuthnContext>
         </AuthnStatement>
     </Assertion>
 </samlp:Response>
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered piaudonn edited

Your current setting is:

  SamlResponseSignature                : MessageOnly

Your token should look like this:

 <samlp:Response ID="_501c00d5-0448-4cd9-a53b-3e215ae8364d" Version="2.0" IssueInstant="2021-07-21T01:10:19.093Z" Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
     <Issuer
         xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sts.piesec.ca/adfs/services/trust
     </Issuer>
     <ds:Signature
         xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
             <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
             <ds:Reference URI="#_501c00d5-0448-4cd9-a53b-3e215ae8364d">
                 <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                 </ds:Transforms>
                 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                 <ds:DigestValue>468jLaLACn76HmOmmT+Hmk7eYauelXjBAOfbvpATJeE=</ds:DigestValue>
             </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>Lfb8xVVAJSp8RvZXCgl5PEEgEMABE+nPC0OiTCHKYjrKWb/Wv0mwl7VREHQKsuyYkaWLKFOfKiAfplm3mnifkb3gzQUL5eQ50OTmQZPoVh0ek+l0HIVyKgvgnRafVaSggd3VXHYqEVBQ8TyZj+8aWtWgb6lTBqQWlhjts+hIQrSp6+JyAywY97RadjzEjvspG+6tq3opiFnKovvGEYzSRlalalalafAxOc9b8oREQfKPfTiEcpQQ50VlDZPe4c2uJLxP/G5ToqevL03vkPGiN/x2gnegQfyPPOQILYinkEKAEJZKRaZYRm6if1KLoollLFP+YNgr5v1ioViq8fccPRUIQ==</ds:SignatureValue>
         <KeyInfo
             xmlns="http://www.w3.org/2000/09/xmldsig#">
             <ds:X509Data>
                 <ds:X509Certificate>MIIC1jCCAb.....</ds:X509Certificate>
             </ds:X509Data>
         </KeyInfo>
     </ds:Signature>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
     </samlp:Status>
     <Assertion ID="_225d93ca-25c6-46cc-9034-8e4896892589" IssueInstant="2021-07-21T01:10:19.092Z" Version="2.0"
         xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
         <Issuer>http://sts.piesec.ca/adfs/services/trust</Issuer>
         <Subject>
             <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">administrator@piesec.ca</NameID>
             <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                 <SubjectConfirmationData NotOnOrAfter="2021-07-21T01:15:19.093Z" Recipient="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" />
             </SubjectConfirmation>
         </Subject>
         <Conditions NotBefore="2021-07-21T01:10:19.092Z" NotOnOrAfter="2021-07-21T02:10:19.092Z">
             <AudienceRestriction>
                 <Audience>urn:microsoft:adfs:claimsxray</Audience>
             </AudienceRestriction>
         </Conditions>
         <AuthnStatement AuthnInstant="2021-07-21T01:10:18.968Z" SessionIndex="_225d93ca-25c6-46cc-9034-8e4896892589">
             <AuthnContext>
                 <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
             </AuthnContext>
         </AuthnStatement>
     </Assertion>
 </samlp:Response>

If you set it to AssertionOnly, it will look like this:

 <?xml version="1.0" encoding="utf-16"?>
 <samlp:Response ID="_e28208da-046b-4a8a-aac3-d39b89d8a40e" Version="2.0" IssueInstant="2021-07-21T01:12:37.148Z" Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sts.piesec.ca/adfs/services/trust</Issuer>
  <samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <Assertion ID="_091af701-b78c-4486-9da6-a59bd3f03df9" IssueInstant="2021-07-21T01:12:37.148Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
  <Issuer>http://sts.piesec.ca/adfs/services/trust</Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
  <ds:Reference URI="#_091af701-b78c-4486-9da6-a59bd3f03df9">
  <ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  </ds:Transforms>
  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
  <ds:DigestValue>lTXjO3tFhSooIiNkcIk3zvUzSvvZLoH8bxaMx/yLIXE=</ds:DigestValue>
  </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>SONPW4T9bK5as5vlalalala7dbLYECjSlNwwLT7/q4g+Mr+mPydZ5QpuHMf1lU9QGZk/ZfpwVCCJ1q5/7B+n1KQSv3IHR+5hiH28oOtim5fBvLpYQNB24BVySGO9Veip3w54EKIRAIjWXCi/qpcKWK9Ehcv3N76BmNk5rhTDYh3lZ2py09h0mIH+R6RsrRPWc1j6g9LKAyOZXJi2SfqJfFh1SzC9qVkntnQx4bJ3XtuPJa34I+F7eqMNZYJxNf3N6dM3WisukLhtPeVPwdKGH9XAYZwHB6gJpmlc1gnQXjKLtABYLEas+fqrtd+zZkC+wDORJXBRrx94vj7JbCbVfZPT5w==</ds:SignatureValue>
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  <ds:X509Data>
  <ds:X509Certificate>MIIC1jCCAb....</ds:X509Certificate>
  </ds:X509Data>
  </KeyInfo>
  </ds:Signature>
  <Subject>
  <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">administrator@piesec.ca</NameID>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
  <SubjectConfirmationData NotOnOrAfter="2021-07-21T01:17:37.148Z" Recipient="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" />
  </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2021-07-21T01:12:37.147Z" NotOnOrAfter="2021-07-21T02:12:37.147Z">
  <AudienceRestriction>
  <Audience>urn:microsoft:adfs:claimsxray</Audience>
  </AudienceRestriction>
  </Conditions>
  <AuthnStatement AuthnInstant="2021-07-21T01:12:37.040Z" SessionIndex="_091af701-b78c-4486-9da6-a59bd3f03df9">
  <AuthnContext>
  <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
  </AuthnContext>
  </AuthnStatement>
  </Assertion>
 </samlp:Response>

And if you set it with MessageAndAssertion it will look like this:

 <?xml version="1.0" encoding="utf-16"?>
 <samlp:Response ID="_abd169b5-1db5-4448-9334-5b1964ba500a" Version="2.0" IssueInstant="2021-07-21T01:14:20.961Z" Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sts.piesec.ca/adfs/services/trust</Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
  <ds:Reference URI="#_abd169b5-1db5-4448-9334-5b1964ba500a">
  <ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  </ds:Transforms>
  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
  <ds:DigestValue>rfGjlXiUiQ4dMiH+OcjevAFrcQ8wvs5CSvhMJniU4Jw=</ds:DigestValue>
  </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>ijHl1KoBuQFB+PWmwgKPzm1IneIhpgZWxRf4NEHyZwhhq0KW+HrnFBb/ruYHBngsz1wN3vpnqRGD45+75BX8ShiFXx+1J+u/HpO5b8Q2kXghCwkDhE1fjvNC8vpq1VfZdOoM1IPSuzZ6886/dOHq1FqmwfjLk6nDcYFmTa22ksQLs88e2Pz1Dth0F8/+c85K+KjMRTsIAi1UlLfNV0jVjIgjDVDxlLJGm0TQmFGZMvFXVlkR7Dmq9/DlvUmC1B2htiyRhcL92FPFBm6l1ZgFYyk/x2MmJZuUSJpkRp0PMvjZT4Dn3th4LbENAuTQTAz9AC8FHtNfXqrRMWEmOLxEBQ==</ds:SignatureValue>
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  <ds:X509Data>
  <ds:X509Certificate>MIIC1jCCAb6gA....</ds:X509Certificate>
  </ds:X509Data>
  </KeyInfo>
  </ds:Signature>
  <samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <Assertion ID="_5d0838b5-7f5e-4e3c-aac9-eba6f5048813" IssueInstant="2021-07-21T01:14:20.959Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
  <Issuer>http://sts.piesec.ca/adfs/services/trust</Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
  <ds:Reference URI="#_5d0838b5-7f5e-4e3c-aac9-eba6f5048813">
  <ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  </ds:Transforms>
  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
  <ds:DigestValue>aEwUzRFwmjoUm0TAvOurfE8N/EVFXgb6kYfWizTiDyQ=</ds:DigestValue>
  </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>N34C0GMoW3bdb6SgTghoseu6tHOt+R/lalallalala/vefRP/BxS0YsOusZD5ZPWMOP4hr1moc/YnAFYhnxilaz+ktDiCB2IYjL8K3gKHYYv6JU2wXj+XwQxGziyxq2RBdw6f3fmX4GmSO9NLikhs3vnn9FIK9K3Po8lGOlOqiDGUk+85Zq1T3L7g+a8vDTGxJIa4NH4wPvg0gwoLwHKF96PwhRD8rjPPdAHiiOJftrJK2PgC6lqxFF92bU5K82D13xTmw+W6jZM4kQhiKfcmByuJYhwAjYdwnnQE7TbwYoKdo235/Ug7q/cRePAyTKcMDITeviWVt4d5dBS6Q==</ds:SignatureValue>
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  <ds:X509Data>
  <ds:X509Certificate>MIIC1jCCAb6gAwIBA.....</ds:X509Certificate>
  </ds:X509Data>
  </KeyInfo>
  </ds:Signature>
  <Subject>
  <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">administrator@piesec.ca</NameID>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
  <SubjectConfirmationData NotOnOrAfter="2021-07-21T01:19:20.961Z" Recipient="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" />
  </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2021-07-21T01:14:20.959Z" NotOnOrAfter="2021-07-21T02:14:20.959Z">
  <AudienceRestriction>
  <Audience>urn:microsoft:adfs:claimsxray</Audience>
  </AudienceRestriction>
  </Conditions>
  <AuthnStatement AuthnInstant="2021-07-21T01:14:20.875Z" SessionIndex="_5d0838b5-7f5e-4e3c-aac9-eba6f5048813">
  <AuthnContext>
  <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
  </AuthnContext>
  </AuthnStatement>
  </Assertion>
 </samlp:Response>


So I can't repro as I always have a signature block. Granted, not the same stuff which signed depending on the setting. How did you extract the token?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.