Authentication_SAML_Expired_Request when accessing WSS


Article ID: 195447


Updated On:


Web Security Service - WSS


WSS setup with SAML authentication

Problem occurs independent of IP or Cookie based surrogate configuration

Microsoft ADFS server acting as SAML Identity Provider

When users access a Web site via WSS, the host is redirected to the IDP server via WSS where the authentication completes and SSO to WSS is successful. If the same user tries the IDP initiated approach instead i.e. they access the following URL on the ADFS server - /adfs/ls/idpinitiatedsignon.htm - and select the WSS SAML SP, the user gets the following error message rendered on the browser:


WSS mandates that users login using the SP initiated approach. There is no support for the IDP initiated approach.

The reason the expiration message is returned is that WSS SP cannot map the assertion response to a corresponding Authentication request, and assumes an error.  


Microsoft ADFS

Any Browser type

Any WSS access method that uses SAML


Make sure that all users access WSS via the SP initiated URL i.e. by simply accessing WSS and allowing WSS redirect to the SAML IDP server.