SAML error for SSO with ADFS - MSIS0038: SAML Message has wrong signature

Question

Hi I am trying to use SSO to authenticate my client\'s users directly to my website. My client\'s IDP is Microsoft ADFS and I am using Passport-SAML (https://github.com/berg

Answer 1

I'm not familiar with Microsoft ADFS nor Passport-SAML, but I when we had signature errors was because the SHA1 fingerpring of the IDp certificate didn't match the one at our end.

We fixed them by making sure the certificate is correctly formatted and then calculating the fingerpring.

Format: https://developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate Fingerprint: https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint

Hopefully this is your case

Answer 2

Not a Passport-SAML guru but the normal causes of this error with ADFS are:

• A signing mismatch - ADFS expects the AuthRequest to be signed and it isn't or vice versa.

• The signing certificate installed in this RP has expired or is the wrong one in the sense that it is not the certificate the client is using.

At the RP level, look at:

Get-ADFSRelyingPartyTrust

[-SignedSamlRequestsRequired ] [-SamlResponseSignature ]

or globally:

Get-ADFSProperties

SignedSamlRequestsRequired
SignSamlAuthnRequests

and check:

Get-AdfsCertificate -CertificateType "Token-Signing"

Answer 3

(following up from ADFS and PingFederate SSO : SAML Message has wrong signature)

We're using a different library and it was a different issue for us (our customer actually had the wrong signature), but during the process of trying to debug, I happened upon this thread that sounds very similar to what you're describing.

The fix is to install this hotfix. Can you check if your customer is on Windows Server 2008 and 2012, has 2843638 or 2843639 installed, and if so, install the hotfix if they haven't already? Just a shot in the dark...