I have fixed this issue. The problem occurs when CAS redirect to the AD FS, it did not retain Relying State. You can fix this by saving this param and resend it with the redirecting url to AD FS. Good luck
On Tue, Mar 7, 2017, 8:50 PM Robert Ledermüller < [email protected]> wrote: > Hi, > > I'm having the exact same issue. Did you found any solution yet? > > Best > -- Robert > > > On Tuesday, November 22, 2016 at 11:37:36 AM UTC+1, Lê Thành wrote: > > Hi, > > I'm configuring CAS 5.0.0 (Release) to work with AD FS 3 by SAML2 > Authentication. In my case CAS act as an IdP, everything work fine but AD > FS can't parse SAMLResponse. It throws an exeption: > > Microsoft.IdentityServer.Web.UnsupportedSamlResponseException: MSIS7029: > The SAML response has content that is not supported. > at > Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetSecurityTokenFromSignInResponse(ProtocolContext > context) > at > Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext > protocolContext, PassiveProtocolHandler protocolHandler) > at > Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext > context) > > > agains SAMLResponse: > > <?xml version="1.0" encoding="UTF-8"?> > <saml2p:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" > Destination="https://leth.teca.vn/adfs/ls/"; > ID="_8125126804174747431" > InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8" > IssueInstant="2016-11-22T09:07:03.187Z" Version="2.0" > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns:xsd="http://www.w3.org/2001/XMLSchema";> > <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://cas.bhxh.vn:8443/cas/idp > </saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference URI="#_8125126804174747431"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces PrefixList="xsd" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>DlBC3aKXqTSiFelrBEk5jbgsQeMlDWLMvkeZ7wuaPGA=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > > OG+wEuMdzIyM3yLTpB2RnbicKcCBHRt9et9Cti60Qs8N3G+maQCiOvgbKmzdoZsM9y2HTGiNkgkB > > 9qUsAO072PyOhtH5IkDe72eMB5QzhVkNPPOkhME0wo4lxTI/gvfG/vnJwkYtAignlOkl9/zppWeG > > 2FEeZFA/MoirpiheP2R+hEZVQw8aftF0a2Quy/GpVs3dWRN5nZXSPAkoYEtTmLcWGOjkZYul563X > > GUbHreYxHBLFT8IYvcD6bJwKp9S1MNOfGOBddkH5FiA1Ena0gP4ONCGZ/Q+JDshTBuPZ3yJrjGMl > oOjRlw2sk741f+jHcATtxk7r6pyq71PwgwrJXg== > </ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG > > A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD > > VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS > > zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl > > unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe > > /15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04 > > y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK > > bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R > > 1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq > > hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu > > SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA > > Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU > > zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC > > 7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ== > </ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > <saml2p:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> > > <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage> > </saml2p:Status> > <saml2:Assertion ID="_6777774035950654943" > IssueInstant="2016-11-22T09:07:03.128Z" Version="2.0" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xsd="http://www.w3.org/2001/XMLSchema";> > <saml2:Issuer>https://cas.bhxh.vn:8443/cas/idp</saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference URI="#_6777774035950654943"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces PrefixList="xsd" > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>7kDPmghSrp8C7L0RW1LxToCS1KlKEXV3T3oUJjhorAk=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > > cmuGUsUU2vUYQW4+enWyDi/eSUYHMAU2NTVqZFjksIIwR7Pp192fBlDmoFsmLDBVx77yOdjeQ1yh > > jOMCMk1zljpwRhAVvUzk6Oi8wr9VKkMl5jX15cKb7mZnABAG7R3/H5uLPzPCWhxlai/T2XwC4it9 > > L/4kj7yLJsyLcWQjYTmomsdBWPD52P9YQ5pOZ8xbbayA1nT6J9LV0MkixsNvQ6FK5Pe20XY1W8ev > > 9qSg1YUeqr9rpQnOWiZHPx/pCyHIJFGFfvBjc29FJUwJmLsrRnrtLA7ZJJGJfys1+Z9LnJ4Wrv75 > u8a3yOOhDZi63mBlhAAMiy51OTfMaFLOg3U45w== > </ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG > > A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD > > VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS > > zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl > > unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe > > /15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04 > > y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK > > bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R > > 1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq > > hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu > > SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA > > Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU > > zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC > > 7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ== > </ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2:Subject> > > <saml2:NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">[email protected] > > > </saml2:NameID> > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml2:SubjectConfirmationData > InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8" > > NotOnOrAfter="2016-11-22T09:12:03.022Z"/> > </saml2:SubjectConfirmation> > </saml2:Subject> > <saml2:Conditions NotBefore="2016-11-22T09:07:03.151Z" > NotOnOrAfter="2016-11-22T09:12:03.151Z"> > <saml2:AudienceRestriction> > > <saml2:Audience>http://leth.teca.vn/adfs/services/trust</saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > <saml2:AuthnStatement AuthnInstant="2016-11-22T09:07:03.022Z"> > <saml2:SubjectLocality > Address="http://leth.teca.vn/adfs/services/trust"/> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > </saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > <saml2:AttributeStatement> > <saml2:Attribute > FriendlyName="samlAuthenticationStatementAuthMethod" > Name="samlAuthenticationStatementAuthMethod"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > urn:oasis:names:tc:SAML:1.0:am:password > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="isFromNewLogin" > Name="isFromNewLogin"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xsd:string">true > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="authenticationDate" > Name="authenticationDate"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > 2016-11-22T16:07:02.927+07:00[Asia/Bangkok] > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="authenticationMethod" > Name="authenticationMethod"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > WsAuthenticationHandler > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="successfulAuthenticationHandlers" > Name="successfulAuthenticationHandlers"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > WsAuthenticationHandler > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute > FriendlyName="longTermAuthenticationRequestTokenUsed" > Name="longTermAuthenticationRequestTokenUsed"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > false > </saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="email" Name="email"> > <saml2:AttributeValue > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> > > [email protected] > > > </saml2:AttributeValue> > </saml2:Attribute> > </saml2:AttributeStatement> > </saml2:Assertion> > </saml2p:Response> > > > I don't know the reason while the SAMLResponse from shibboleth I got > before had the same tags except attribute name. > Please help! > > Thanks > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/aBqlYZsbQFY/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/123bc5bc-a305-4946-be4a-d31726a2ac69%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/123bc5bc-a305-4946-be4a-d31726a2ac69%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAF0y-pihFdkgtCt6FGu%3DU6Ckb%3Ddo6y8-rJQWW0GG58AZ8w2a1A%40mail.gmail.com.
