Hi,
I have configured my ADFS to send a signature in the Response message.
I have set my relying party like this (see below)
The authentication works fine and I can log into my SP.
However, the Response message doesn't contain the Signature block.
I tried with keyclock and it woks fine, I can see the Signature block in the Response message.
When I setup my SP to require a response signature, obviously I get an error since I don't have the block in the Reponse message.
What is the correct ADFS configuration to get the Signature block sent in the Response message please ?
Thanks for your help, it's driving me crazy.
PS C:\Users\user01> Get-AdfsRelyingPartyTrust -name "XXXX"
AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : None
PublishedThroughProxy : False
SigningCertificateRevocationCheck : None
WSFedEndpoint :
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {}
ClaimsAccepted : {}
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : YYYY
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : 731cfe19-5fe3-eb11-9afb-0050568f44bf
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {[Subject]
CN=ZZZZ, OU=adfsClient, O=TTTT, L=Paris, S=France, C=FR
[Issuer]
CN=ZZZZ, OU=adfsClient, O=TTTT, L=Paris, S=France, C=FR
[Serial Number]
44ECB0E72927002223D1E196D1019C7A6A4650C6
[Not Before]
20/07/2021 16:13:13
[Not After]
20/07/2022 16:13:13
[Thumbprint]
C52F394C2415805A889E767398165BB087125805
}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
SamlResponseSignature : MessageOnly
SignatureAlgorithm : http://www.w3.org/2000/09/xmldsig#rsa-sha1
TokenLifetime : 0
AllowedClientTypes : Public, Confidential
IssueOAuthRefreshTokensTo : AllDevices
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
ScopeGroupIdentifier :
DeviceAuthenticationMethod :
Name : XXXX
AutoUpdateEnabled : False
MonitoringEnabled : False
MetadataUrl :
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules :
IssuanceTransformRules : @RuleName = "Transform Domain User to User"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value,
"(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 01/01/1900 00:00:00
LastMonitoredTime : 01/01/1900 00:00:00
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName : Permit everyone
AccessControlPolicyParameters :
ResultantPolicy : RequireFreshAuthentication:False
IssuanceAuthorizationRules:
{
Permit everyone
}