1

We are encountering a

Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder

SAMLException trying to run the Spring SAML sample application. The IDP is an ADFS 3.0 Server and the SP uses a self-signed URL. Following is the URL of the SP/App

https://ec2-52-0-198-40.compute-1.amazonaws.com:8443/spring-security-saml2-sample/

The weird thing is this happens after successfully authenticating at the IDP - the first time only. If I try the URL second time, it remembers the successful login and redirects correctly to the app/SP. Every attempt to login after is successful. The Global logout and the Local Logout works too.

But, then If I clear the browser of all cookies and history and try to login again, the "Invalid Status" problem appears the first time around. And all subsequent logins are successful.

@vladimír-schäfer : Any ideas why this problem is happening? Thanks much.

Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
Ravikumar Raman
  • 11
  • 1
  • 2
  • Hey @Ravikumar Raman, I have the same problem , how did you solve your problem? https://stackoverflow.com/questions/49559023/saml-error-for-sso-with-adfs-msis0038-saml-message-has-wrong-signature – jerem Apr 09 '18 at 10:59

2 Answers2

0

One path which is worth trying is to make sure that the HTTPS certificate presented by the site is trusted. I've seen cases when the page used by browsers to confirm invalid certificate breaks data sent during SAML SSO - which could lead to the issue you're experiencing.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • Thank you for the quick response Vladimir. We will install a trusted certificate and let you know. – Ravikumar Raman Apr 30 '15 at 10:59
  • Hi Vladimir, we installed a new cert and the new url is https://dev.idiom.digitaslbi.com:8443/spring-security-saml2-sample. We don't get the invalid certificate conformation any more. But the first time **"invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder"** still lingers. ADFS(IDP) does not have en error in the logs. Any other path you would like us to try?? – Ravikumar Raman May 13 '15 at 16:54
  • A follow up : The SAML response when it fails(first time log in) has a element - But when it succeeds the response has an element, with status 'Success' in it. Wondering what would cause this. – Ravikumar Raman May 13 '15 at 17:19
  • You should dig more on the ADFS side, perhaps try to enable additional logging. The error has the following meaning "The request could not be performed due to an error on the part of the SAML responder or SAML authority." SAML responder/authority is ADFS in this case. – Vladimír Schäfer May 13 '15 at 19:53
0

I've seen this when ADFS expects a SHA-256 digital signature but Spring Security still uses SHA-1 as its default. See Issues while integrating ADFS with Spring SAML Extension

Community
  • 1
  • 1
Stuart Charlton
  • 141
  • 1
  • 3