MSIS7085: The server requires a signed SAML authentication request but no signature is present.

[rdalm...@gmail.com]

Hi,

When setting up SimpleSAMLphp with ADFS I am running into an issue I have not encountered before. 

The error message is: 

MSIS7085: The server requires a signed SAML authentication request but no signature is present.

A search shows me a thread with the same error message but the solution there does not seem to be applicable to my situation.

This is the thread I found:

https://groups.google.com/g/simplesamlphp/c/1lt3Jw_wMHI/m/O2qEBSIhBQAJ

The setup I am working with is a SimpleSAMLphp client on one site and Microsoft ADFS on the other side. ADFS is the IDP and SimpleSAMLphp is the SP.

SSP has read the metadata from ADFS and ADFS has read the metadata from SSP. So far so good, now when I start the login process ADFS spits out the error "MSIS7085: The server requires a signed SAML authentication request but no signature is present." This even happens when we turn off the trust on the ADFS side.

In the authsources.php we have set the following parameters:

sign.logout' => true,
'redirect.sign' => true,
'assertion.encryption' => true,

A certificate is also generated and set in the authsources.php. After refreshing and importing the metadata after that, the error still shows up.

Interesting to know is that this same setup works fine with SSP 1.x but when we switch this working configuration to SSP 2.x the error comes. It is almost as if SSP 2 works different with ADFS than SSP 1 does.

At this moment I have tested so much and tried so much I can't see what I might be missing here. 

If anybody has any pointers that would be appreciated. If you need any more information let me know.

Kind regards,

RolandD

[monk...@gmail.com]

You could run SAMLTracer on the login attempts. It should shine some light onto if/how the samlp:AuthnRequest is signed in the SSP 1.x and SSP 2.x versions.

If the signature was here in 1.x and is not there any more then we have a good place to start.