We have an ADFS server up and running that we use for SSO for Skype in the cloud, which works without an issue. Recently, we've set up a relying party trust with an external partner, who use their own federated service (one that they've written/configured themselves). They are the resource partner and we are the IDP
When trying to access their application, we are hitting their web site but we're unable to log in. In AD FS Admin event log, we see the following 2 events;
Event ID 303 – The federation Service encountered and error while processing the SAML authentication request : MSIS0037: No signature verification certificate found for issuer 'https://xxxxxxxxx.com'
Event ID 364 – Encountered error during federation passive request : MSIS0037: No signature verification certificate found for issuer 'https://xxxxxxxxx.com'
The properties of the relying party trust have SignedSAMLRequestsRequired set to False and SamlResponseSignature set to False.
I'm a little confused as to how to troubleshoot this. I'm assuming that my ADFS server is expecting a signed SAML authentication request but is unable to validate the signature. Could someone explain to me exactly what the identifier does in the RPT configuration?
TIA
Best Answer
According to the documentation on Technet for Set-ADFSRelyingPartyTrust,
SAMLResponseSignature"[s]pecifies the response signatures that the relying party expects" (and doesn't accept "False" as argument). Thus it won't do what you want it to do (the service is the relying party, not ADFS).Also,
SignedSAMLRequestsRequiredmeans, it will accept unsigned requests and not signed requests whose signatures couldn't be verified.So, I'd have a look at the certificate used by the service, especially if it is trusted by your ADFS server. My guess is, it's either self-signed or signed by an internal CA.