ACS75005 "The request is not a valid SAML2 protocol message." Shown whenever I connect to Windows Azure Active Directory using SAML
I am trying to use Windows Azure Active Directory as IdP in a web application. My code works fine on other SAML UPSs but gives the following message only on Windows Azure!
To come in
Sorry, but we cannot sign you.
We got a bad request. Additional technical information:
Trace ID: 8377e605-6b9f-47be-8547-5fce7f4285af
Timestamp: 2014-08-04 13: 31: 27Z
ACS75005:
The request is not a valid SAML2 protocol message.
I replaced my code and used a SAML query that Microsoft posted here and only replaced some values, but still got the same error message !!
What's wrong with my request? And how can I get more details about this post?
Knowing that my application is defined in Windows Azure AD applications.
<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_56dbfeac-107a-46d2-b989-651f90107312" Version="2.0" IssueInstant="2014-08-04T13:28:05Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">SOMETHING</Issuer>
</samlp:AuthnRequest>
Edit 001 After editing the statement suggested by Dushayant, it becomes:
<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_efcebb45-5ee6-42df-ace4-a343f28f5a46"
Version="2.0" IssueInstant="2014-08-07T06:29:09Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">SOMETHING</Issuer>
</samlp:AuthnRequest>
But still the same error is displayed!
Also please find the test project I'm using here . Just replace the values ββin AppSettings in webconfig for your SAML settings.
source to share
Use
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
instead of xmlns = "urn: oasis: names: tc: SAML: 2.0: metadata"
I believe you followed what we're documenting here: http://msdn.microsoft.com/en-us/library/azure/dn195589.aspx . If so, you found a mistake in this article - sorry about that.
Hope this helps.
Gomam, I looked at your code. The problem was coding AuthnRequest. I changed it to standard deflated encoding and it worked.
public string GetAzureRequest(AuthRequestFormat format)
{
string xml = @"<samlp:AuthnRequest xmlns=""urn:oasis:names:tc:SAML:2.0:assertion"" ID=""#ID""
Version=""2.0"" IssueInstant=""#DATE""
xmlns:samlp=""urn:oasis:names:tc:SAML:2.0:protocol"">
<Issuer xmlns=""urn:oasis:names:tc:SAML:2.0:assertion"">#ISSUER</Issuer>
</samlp:AuthnRequest>";
xml = xml.Replace("#DATE", issue_instant);
xml = xml.Replace("#ID", id);
xml = xml.Replace("#ISSUER", appSettings.Issuer);
xml = xml.Replace("\r\n", "");
if (format == AuthRequestFormat.Base64)
{
/*COMMENTED THIS OUT*/
//byte[] toEncodeAsBytes = System.Text.ASCIIEncoding.ASCII.GetBytes(requestDocument.OuterXml);
//string result = System.Convert.ToBase64String(toEncodeAsBytes);
//return result;
/*ADDED THIS*/
MemoryStream memoryStream = new MemoryStream();
StreamWriter writer = new StreamWriter(new DeflateStream(memoryStream, CompressionMode.Compress, true), new UTF8Encoding(false));
writer.Write(xml);
writer.Close();
string result = Convert.ToBase64String(memoryStream.GetBuffer(), 0, (int)memoryStream.Length, Base64FormattingOptions.None);
return result;
}
return null;
}
source to share
I believe there is a namespace mismatch here ... SAMLRequest should look like this.
<samlp:AuthnRequest
ID="_efcebb45-5ee6-42df-ace4-a343f28f5a46"
Version="2.0" IssueInstant="2014-08-07T06:29:09Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">SOMETHING</Issuer>
</samlp:AuthnRequest>
The Issuer element must be in the "urn: oasis: names: tc: SAML: 2.0: assertion" namespace and the AuthnRequest element in the "urn: oasis: names: tc: SAML: 2.0: protocol" namespace
Of course this needs to be deflated + base64 encoded. If you are using HttpRedirect binding then also urlencode this before embedding in url
source to share