Authentication_SAML_Expired_Request when accessing WSS

book

Article ID: 195447

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS setup with SAML authentication

Problem occurs independent of IP or Cookie based surrogate configuration

Microsoft ADFS server acting as SAML Identity Provider

When users access a Web site via WSS, the host is redirected to the IDP server via WSS where the authentication completes and SSO to WSS is successful. If the same user tries the IDP initiated approach instead i.e. they access the following URL on the ADFS server - /adfs/ls/idpinitiatedsignon.htm - and select the WSS SAML SP, the user gets the following error message rendered on the browser:

Cause

WSS mandates that users login using the SP initiated approach. There is no support for the IDP initiated approach.


The reason the expiration message is returned is that WSS SP cannot map the assertion response to a corresponding Authentication request, and assumes an error.  

Environment

Microsoft ADFS

Any Browser type

Any WSS access method that uses SAML

Resolution

Make sure that all users access WSS via the SP initiated URL i.e. by simply accessing WSS and allowing WSS redirect to the SAML IDP server.

Attachments