ADFS SSO SAML Idp Initiated SSO Failed: Signature Invalid / Remote Access Authorization error
|Knowledge Article Number||000176901|
|Description||Users via Mobile clients utilizing OAUTH 2.0 SSO SAML authentication via MyDomains redirect to a customers' IDP might see Invalid Signature or Remote Access errors.
There are many configuration aspects to be checked. Customers should confirm the basics first:
1) HTTP POST & HTTP Redirect binding methods supported
2) RelayState parameters echoed back in SAMLresponse correctly
3) Confirm the authentication via browser/s - examine Trace / Validation (more below on this)
4) Confirm Certificates
5) SHA1 hash for ADFS is recommended
Customers may also post their specific issues at:
Some issues may be related to a signature problem. If Salesforce does not complain about the provided KeyInfo, that usually would mean that the certificate supplied was valid. You can double-check this by regenerating the certificate / private key. NOTE: Via a browser test, it's possible check/verify this in debug mode that the SAMLResponse is not being altered after signature.
A next step might be to validate the SAML response. There are many sites available to do this. i.e. https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
There is even a SAML response validation page within salesforce.com under Admin | Security | single Sign-on Settings
Questions from that might be:
1) What is the certificate supplied in the settings? i.e. CN=ADFS Signing…
2) Is the response signed / assertion signed?
3) Correct certificate supplied in the keyinfo?
Salesforce Security team recommends SHA1 hash for ADFS. Here is a whitepaper with more details on this:
Other resources to check:
This blog discusses modifications of the web.config and the FormsSignIn.aspx.cs files.
- ADFS ADMINs: Do NOT manually generate the RelayState/Target App or RPID
- Remember that our SSO support is for FORMS-based login only
<?xml version="1.0"?> <configuration> ... <microsoft.identityServer.web> <localAuthenticationTypes> <add name="Forms" page="FormsSignIn.aspx" /> <add name="Integrated" page="auth/integrated/" /> <add name="TlsClient" page="auth/sslclient/" /> <add name="Basic" page="auth/basic/" /> </localAuthenticationTypes> ... <singleSignOn enabled="false" /> </microsoft.identityServer.web> ... </configuration>
using System.Configuration; using System.Collections.Specialized; using System.IO; using System.IO.Compression; using System.Text; using System.Xml;
IMPORTANT NOTE for iOS devices: When configuring ADFSv2 for use with Salesforce, it's recommended that you select the new "HTTP Redirect" option available in the Salesforce Single Sign-On settings under "Service Provider Initiated Request Binding". This will improve interoperability with iOS based devices.
Specific to Mobile Issues: