Hi, I'm configuring CAS 5.0.0 (Release) to work with AD FS 3 by SAML2 Authentication. In my case CAS act as an IdP, everything work fine but AD FS can't parse SAMLResponse. It throws an exeption:
Microsoft.IdentityServer.Web.UnsupportedSamlResponseException: MSIS7029: > The SAML response has content that is not supported. > at > Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetSecurityTokenFromSignInResponse(ProtocolContext > > context) > at > Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext > > protocolContext, PassiveProtocolHandler protocolHandler) > at > Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext > > context) > agains SAMLResponse: <?xml version="1.0" encoding="UTF-8"?> > <saml2p:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" > Destination="https://leth.teca.vn/adfs/ls/"; > ID="_8125126804174747431" > InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8" > IssueInstant="2016-11-22T09:07:03.187Z" Version="2.0" > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns:xsd="http://www.w3.org/2001/XMLSchema";> > <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://cas.bhxh.vn:8443/cas/idp > </saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference URI="#_8125126804174747431"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces PrefixList="xsd" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>DlBC3aKXqTSiFelrBEk5jbgsQeMlDWLMvkeZ7wuaPGA=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > > OG+wEuMdzIyM3yLTpB2RnbicKcCBHRt9et9Cti60Qs8N3G+maQCiOvgbKmzdoZsM9y2HTGiNkgkB > > 9qUsAO072PyOhtH5IkDe72eMB5QzhVkNPPOkhME0wo4lxTI/gvfG/vnJwkYtAignlOkl9/zppWeG > > 2FEeZFA/MoirpiheP2R+hEZVQw8aftF0a2Quy/GpVs3dWRN5nZXSPAkoYEtTmLcWGOjkZYul563X > > GUbHreYxHBLFT8IYvcD6bJwKp9S1MNOfGOBddkH5FiA1Ena0gP4ONCGZ/Q+JDshTBuPZ3yJrjGMl > oOjRlw2sk741f+jHcATtxk7r6pyq71PwgwrJXg== > </ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG > > A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD > > VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS > > zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl > > unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe > > /15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04 > > y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK > > bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R > > 1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq > > hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu > > SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA > > Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU > > zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC > > 7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ== > </ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > <saml2p:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> > > <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage> > </saml2p:Status> > <saml2:Assertion ID="_6777774035950654943" > IssueInstant="2016-11-22T09:07:03.128Z" Version="2.0" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xsd="http://www.w3.org/2001/XMLSchema";> > <saml2:Issuer>https://cas.bhxh.vn:8443/cas/idp</saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference URI="#_6777774035950654943"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces PrefixList="xsd" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>7kDPmghSrp8C7L0RW1LxToCS1KlKEXV3T3oUJjhorAk=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > > cmuGUsUU2vUYQW4+enWyDi/eSUYHMAU2NTVqZFjksIIwR7Pp192fBlDmoFsmLDBVx77yOdjeQ1yh > > jOMCMk1zljpwRhAVvUzk6Oi8wr9VKkMl5jX15cKb7mZnABAG7R3/H5uLPzPCWhxlai/T2XwC4it9 > > L/4kj7yLJsyLcWQjYTmomsdBWPD52P9YQ5pOZ8xbbayA1nT6J9LV0MkixsNvQ6FK5Pe20XY1W8ev > > 9qSg1YUeqr9rpQnOWiZHPx/pCyHIJFGFfvBjc29FJUwJmLsrRnrtLA7ZJJGJfys1+Z9LnJ4Wrv75 > u8a3yOOhDZi63mBlhAAMiy51OTfMaFLOg3U45w== > </ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG > > A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD > > VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS > > zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl > > unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe > > /15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04 > > y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK > > bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R > > 1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq > > hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu > > SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA > > Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU > > zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC > > 7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ== > </ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2:Subject> > <saml2:NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">[email protected] > </saml2:NameID> > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml2:SubjectConfirmationData > InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8" > > NotOnOrAfter="2016-11-22T09:12:03.022Z"/> > </saml2:SubjectConfirmation> > </saml2:Subject> > <saml2:Conditions NotBefore="2016-11-22T09:07:03.151Z" > NotOnOrAfter="2016-11-22T09:12:03.151Z"> > <saml2:AudienceRestriction> > > <saml2:Audience>http://leth.teca.vn/adfs/services/trust</saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > <saml2:AuthnStatement AuthnInstant="2016-11-22T09:07:03.022Z"> > <saml2:SubjectLocality > Address="http://leth.teca.vn/adfs/services/trust"/> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > </saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > <saml2:AttributeStatement> > <saml2:Attribute > FriendlyName="samlAuthenticationStatementAuthMethod" > Name="samlAuthenticationStatementAuthMethod"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > urn:oasis:names:tc:SAML:1.0:am:password > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="isFromNewLogin" > Name="isFromNewLogin"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xsd:string">true > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="authenticationDate" > Name="authenticationDate"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > 2016-11-22T16:07:02.927+07:00[Asia/Bangkok] > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="authenticationMethod" > Name="authenticationMethod"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > WsAuthenticationHandler > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="successfulAuthenticationHandlers" > Name="successfulAuthenticationHandlers"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > WsAuthenticationHandler > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute > FriendlyName="longTermAuthenticationRequestTokenUsed" > Name="longTermAuthenticationRequestTokenUsed"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > false > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="email" Name="email"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > [email protected] > </saml2:AttributeValue> > </saml2:Attribute> > </saml2:AttributeStatement> > </saml2:Assertion> > </saml2p:Response> > > I don't know the reason while the SAMLResponse from shibboleth I got before had the same tags except attribute name. Please help! Thanks -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7dccfdb2-5e4e-4e1e-b4cc-b9ddaacc000a%40apereo.org.
