Event 320, AD FS. The verification of the SAML message signature failed. on logout.
1,240 views
Skip to first unread message
Yanuar Kristian
May 14, 2014, 7:31:10 AM5/14/14
to simple...@googlegroups.com
Hi All,
I have configured single sign on and single logout in simplesaml and office 365.
I use simplesaml as service provider and ADFS as identity provider.
I can sign on and logout successfully from my simplesaml.
But when I sign on from simplesaml and open my office 365 page and then logout from my office 365 page I got this error shown in my ADFS event viewer:
The verification of the SAML message signature failed.
Message issuer: https://myadfs.com:444/simplesaml/module.php/saml/sp/metadata.php/default-sp
Exception details:
MSIS1010: Signed SAML message must have Destination URI specified
This request failed.
User Action
Verify that the message issuer configuration in the AD FS configuration database is up to date.
Configure the signing certificate for the specified issuer.
Verify that the issuer's certificate is up to date.
Verify the issuer and server message signing requirements
Can someone help me? Any suggestion would be appreciated.
Regards,
Yanuar
I have configured single sign on and single logout in simplesaml and office 365.
I use simplesaml as service provider and ADFS as identity provider.
I can sign on and logout successfully from my simplesaml.
But when I sign on from simplesaml and open my office 365 page and then logout from my office 365 page I got this error shown in my ADFS event viewer:
The verification of the SAML message signature failed.
Message issuer: https://myadfs.com:444/simplesaml/module.php/saml/sp/metadata.php/default-sp
Exception details:
MSIS1010: Signed SAML message must have Destination URI specified
This request failed.
User Action
Verify that the message issuer configuration in the AD FS configuration database is up to date.
Configure the signing certificate for the specified issuer.
Verify that the issuer's certificate is up to date.
Verify the issuer and server message signing requirements
Can someone help me? Any suggestion would be appreciated.
Regards,
Yanuar
Peter Schober
May 14, 2014, 10:31:41 AM5/14/14
to simple...@googlegroups.com
* Yanuar Kristian <yanu...@gmail.com> [2014-05-14 13:31]:
How does SimpleSAMLphp then enter the picture?
-peter
> I use simplesaml as service provider and ADFS as identity provider.
[...]
> But when I sign on from simplesaml and open my office 365 page and then
> logout from my office 365 page I got this error shown in my ADFS event
> viewer:
So "office 365" is the SAML SP and MS-ADFS is the SAML IDP?
> logout from my office 365 page I got this error shown in my ADFS event
> viewer:
How does SimpleSAMLphp then enter the picture?
-peter
Yanuar Kristian
May 16, 2014, 2:37:59 AM5/16/14
to simple...@googlegroups.com, peter....@univie.ac.at
Hi Peter,
Thanks for your reply.
I am not sure that office365 is as SP or not.
Of course ADFS is as IDP.
I want my PHP application and office365 can do single sign on and single logout.
I mean that when I sign on form my PHP application, I can open my office365 mail without entering username and passsword again.
Thanks for your reply.
I am not sure that office365 is as SP or not.
Of course ADFS is as IDP.
I want my PHP application and office365 can do single sign on and single logout.
I mean that when I sign on form my PHP application, I can open my office365 mail without entering username and passsword again.
Peter Schober
May 16, 2014, 4:04:23 AM5/16/14
to simple...@googlegroups.com
* Yanuar Kristian <yanu...@gmail.com> [2014-05-16 08:38]:
use, i.e. services that does something useful for.
"office365" likely is such a thing and it can act as a SAML SP in some
capacity, from what I've read on the Internet.
So if that is one of your SAML SPs (your own PHP application being
another) and MS-ADFS acts as SAML IDP, SimpleSAMLphp doesn't have any
role to with accessing "office365".
Note that if you're using MS-ADFS you're probably not talking SAML to
"office365" but whatever Microsoft offers there (some form of WS-* I
think).
Which leaves your PHP application. While you could try to use some
WS-* protocols with that too I don't know anything about that and
SimpleSAMLphp probably doesn't help here either.
So you could set up your MS-ADFS system as a SAML IDP (with which this
list can't help you) and use SimpleSAMLphp as the SAML SP for your PHP
application. That will likely still let subjects experience SSO when
using that "office365" thing and your PHP application together within
a reasonable amount of time.
If you want to proceed with turning your PHP applicaton into a SAML SP
use the documentation provided. You can use the FEIDE OpenIDP as SAML
IDP for testing, and when you're satisfied with your SAML SP look into
making your MS-ADFS system work as a SAML IDP and make it interoperate
with your SimpleSAMLphp SP.
-peter
> I am not sure that office365 is as SP or not.
> Of course ADFS is as IDP.
> I want my PHP application and office365 can do single sign on and single
> logout.
Service Providers (or SPs, for short) are web resources you want to
> Of course ADFS is as IDP.
> I want my PHP application and office365 can do single sign on and single
> logout.
use, i.e. services that does something useful for.
"office365" likely is such a thing and it can act as a SAML SP in some
capacity, from what I've read on the Internet.
So if that is one of your SAML SPs (your own PHP application being
another) and MS-ADFS acts as SAML IDP, SimpleSAMLphp doesn't have any
role to with accessing "office365".
Note that if you're using MS-ADFS you're probably not talking SAML to
"office365" but whatever Microsoft offers there (some form of WS-* I
think).
Which leaves your PHP application. While you could try to use some
WS-* protocols with that too I don't know anything about that and
SimpleSAMLphp probably doesn't help here either.
So you could set up your MS-ADFS system as a SAML IDP (with which this
list can't help you) and use SimpleSAMLphp as the SAML SP for your PHP
application. That will likely still let subjects experience SSO when
using that "office365" thing and your PHP application together within
a reasonable amount of time.
If you want to proceed with turning your PHP applicaton into a SAML SP
use the documentation provided. You can use the FEIDE OpenIDP as SAML
IDP for testing, and when you're satisfied with your SAML SP look into
making your MS-ADFS system work as a SAML IDP and make it interoperate
with your SimpleSAMLphp SP.
-peter
Reply all
Reply to author
Forward
0 new messages