'Receiving an HTTP 400 BAD REQUEST from SAML2 Response

I have a Windows Server 2019 running an IIS web server. My organization uses ADFS 2016 and a team has configured the IdP integration in ADFS on my behalf. Everything (accounts, server, etc) are part of an AD domain network (all within same domain infrastructure).

I am building a .NET 6 app and deploying to the server using this example which uses itfoxtec-identity-saml2: How to Authenticate with SAML in ASP.NET Core and C#

The app launches fine. When I click the login button I'm presented with an error upon redirect back to the app: "HTTP ERROR 400".

Browser console: x Failed to load resource: the server responded with a status of 400 () chrome-error://chromewebdata/:1 crbug/1173575, non-JS module files deprecated. (anonymous) @ VM9:2762

Header data from the developer console:
Request URL: https://oitctxwbdcsp1.deleted/ADFSTest
Request Method: POST
Status Code: 400
Remote Address: 10.137.0.7:443
Referrer Policy: strict-origin-when-cross-origin
date: Tue, 29 Mar 2022 21:02:57 GMT
server: Microsoft-IIS/10.0
strict-transport-security: max-age=0; includeSubDomains
:authority: oitctxwbdcsp1.deleted
:method: POST
:path: /ADFSTest :scheme: https
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
content-length: 3813
content-type: application/x-www-form-urlencoded
origin: https://dev.adfs.federation.deleted
pragma: no-cache
referer: https://dev.adfs.federation.deleted/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Microsoft Edge";v="98"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-site
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/98.0.4758.119 Safari/537.36 Edg/98.0.1108.76

SAML Response (decoded) 

<samlp:Response ID="_df09235a-cd8e-40bf-a5b4-03aa6c1bf55e" Version="2.0" IssueInstant="2022-03-29T21:02:57.580Z" Destination="https://oitctxwbdcsp1.*deleted*/ADFSTest" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ca71b9ef-4bf8-45b3-930c-a7bbe58a0dc0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://dev.adfs.federation.*deleted*/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_df09235a-cd8e-40bf-a5b4-03aa6c1bf55e"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>3Z+f+F61txOvBDBdtd2TXlt51Gs8mxXgtBJQu4zVXfE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>X2hy*deleted*</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC8*deleted*</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>

RelayState: https://oitctxwbdcsp1.*deleted/ADFSTest/=%2F

Additional Info: The ADFS IdP reads metadata from a URL that I have provided them. The metadata looks like this:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2032-03-12T19:19:05Z"
                     cacheDuration="PT604800S"
                     entityID="https://oitctxwbdcsp1.*deleted*">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://oitctxwbdcsp1.*deleted*/ADFSTest" index="0" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

The appsettings.json is as follows:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "Saml2": {
    "IdPMetadata": "https://dev.adfs.federation.*deleted*/federationmetadata/2007-06/federationmetadata.xml",
    "Issuer": "https://oitctxwbdcsp1.*deleted*",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },
  "AllowedHosts": "*"
}

I am new to SAML2 and authentication in general.

itfoxtec-identity-saml2


Solution 1:[1]

You are getting an error in the SAML Response from AD FS. The error status is urn:oasis:names:tc:SAML:2.0:status:Responder.

There is an error on AD FS stopping the login sequence.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Anders Revsgaard

Related Questions