Authentication_SAML_Expired_Request when accessing WSS
Article ID: 195447
Updated On:
Products
Issue/Introduction
WSS setup with SAML authentication
Problem occurs independent of IP or Cookie based surrogate configuration
Microsoft ADFS server acting as SAML Identity Provider
When users access a Web site via WSS, the host is redirected to the IDP server via WSS where the authentication completes and SSO to WSS is successful. If the same user tries the IDP initiated approach instead i.e. they access the following URL on the ADFS server - /adfs/ls/idpinitiatedsignon.htm - and select the WSS SAML SP, the user gets the following error message rendered on the browser:
Cause
WSS mandates that users login using the SP initiated approach. There is no support for the IDP initiated approach.
The reason the expiration message is returned is that WSS SP cannot map the assertion response to a corresponding Authentication request, and assumes an error.
Environment
Microsoft ADFS
Any Browser type
Any WSS access method that uses SAML
Resolution
Make sure that all users access WSS via the SP initiated URL i.e. by simply accessing WSS and allowing WSS redirect to the SAML IDP server.
Attachments
Feedback
