SAML error for SSO with ADFS - MSIS0038: SAML Message has wrong signature

Question

Hi I am trying to use SSO to authenticate my client\'s users directly to my website. My client\'s IDP is Microsoft ADFS and I am using Passport-SAML (https://github.com/berg

Answer 1

Not a Passport-SAML guru but the normal causes of this error with ADFS are:

• A signing mismatch - ADFS expects the AuthRequest to be signed and it isn't or vice versa.

• The signing certificate installed in this RP has expired or is the wrong one in the sense that it is not the certificate the client is using.

At the RP level, look at:

Get-ADFSRelyingPartyTrust

[-SignedSamlRequestsRequired ] [-SamlResponseSignature ]

or globally:

Get-ADFSProperties

SignedSamlRequestsRequired
SignSamlAuthnRequests

and check:

Get-AdfsCertificate -CertificateType "Token-Signing"