Print this page

ADFS SSO SAML Idp Initiated SSO Failed: Signature Invalid / Remote Access Authorization error

Knowledge Article Number 000176901
Description Users via Mobile clients utilizing OAUTH 2.0 SSO SAML authentication via MyDomains redirect to a customers' IDP might see Invalid Signature or Remote Access errors. 

There are many configuration aspects to be checked. Customers should confirm the basics first:
1) HTTP POST & HTTP Redirect binding methods supported 
2) RelayState parameters echoed back in SAMLresponse correctly
3) Confirm the authentication via browser/s  - examine Trace / Validation (more below on this)
4) Confirm Certificates
5) SHA1 hash for ADFS is recommended


Customers may also post their specific issues at:

http://boards.developerforce.com/t5/Security/bd-p/security

 
Resolution
 
Some issues may be related to a signature problem. If Salesforce does not complain about the provided KeyInfo, that usually would mean that the certificate supplied was valid. You can double-check this by regenerating the certificate / private key. NOTE: Via a browser test, it's possible check/verify this in debug mode that the SAMLResponse is not being altered after signature.
 
 
A next step might be to validate the SAML response. There are many sites available to do this. i.e. https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php 
 
There is even a SAML response validation page within salesforce.com under Admin | Security | single Sign-on Settings 
 
Questions from that might be:
1) What is the certificate supplied in the settings? i.e. CN=ADFS Signing… 
2) Is the response signed / assertion signed?
3) Correct certificate supplied in the keyinfo?
 
Salesforce Security team recommends SHA1 hash for ADFS. Here is a whitepaper with more details on this:


Other resources to check:
http://adfsauthentication.codeplex.com/

This blog discusses modifications of the web.config and the FormsSignIn.aspx.cs files.
- ADFS ADMINs: Do NOT manually generate the RelayState/Target App or RPID 
- Remember that our SSO support is for FORMS-based login only



web.config
<?xml version="1.0"?>
<configuration>
  ...
  <microsoft.identityServer.web>
    <localAuthenticationTypes>
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="Integrated" page="auth/integrated/" />
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
    </localAuthenticationTypes>
    ...
    <singleSignOn enabled="false" />
  </microsoft.identityServer.web>
  ...
</configuration>


FormsSignIn.aspx.cs
using System.Configuration;
using System.Collections.Specialized;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Xml;


 
http://wiki.developerforce.com/page/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services
IMPORTANT NOTE for iOS devices: 
When configuring ADFSv2 for use with Salesforce, it's recommended that you select the new "HTTP Redirect" option available in the Salesforce Single Sign-On settings under "Service Provider Initiated Request Binding". This will improve interoperability with iOS based devices.

Specific to Mobile Issues:
http://wiki.developerforce.com/page/Single_Sign-On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuth

A
DFS SSO:

http://wiki.developerforce.com/page/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services




promote demote