SAML2 Error SAML failed to login

elena_ivanova
Kilo Explorer

‎10-19-2015 04:48 AM

Colleagues, can you give any advice on thise confused   issue?

We have configured Multi SSO plugin according to Wiki articles. Our ADFS farm has two token-signing certificates: the first one will expire soon, it is set as Secondary and used for Office 365 SSO, the second one is set as Primary and we use it for Service Now SSO. We can see, that SSO works fine when we connect to Service Now from a workstation out of the corporate domain. If we try to connect from a domain PC, it fails with this log:

• SAML2Error: SAML failed to login, Status code is urn:oasis:names:tc:SAML:2.0:status:Responder. When it is supposed to be urn:oasis:names:tc:SAML:2.0:status:Success

• SAML2: SAML2Error: SAML failed to login, Status code is urn:oasis:names:tc:SAML:2.0:status:Responder. When it is supposed to be urn:oasis:names:tc:SAML:2.0:status:Success: no thrown error

• Could not validate SAMLResponse

• SAML2: Could not validate SAMLResponse: no thrown error

Windows log has this record:

Encountered error during federation passive request.

Additional Data

Protocol Name:

Saml

Relying Party:

<Our instance URL>

Exception details:

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.

    at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)

    at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)

    at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)

    at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

    at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

    at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

When we change the certificate to the first one (which will expire soon) at the IdP record at Service Now, it continues to fail from a domain PC.

Labels:
0 Helpfuls
  • 7,039 Views
2 REPLIES 2

Valor1
Giga Guru

‎10-19-2015 07:14 PM

It looks like the server handling external requests and the server handling internal ones are set up differently.



If you look at the error from the Windows log:


Requested Authentication Method is not supported on the STS.



I think it may have to do with this setting in ServiceNow:


Screen Shot 2015-10-19 at 7.13.41 PM.png


Preview file
120 KB
0 Helpfuls

eRao
Kilo Contributor

‎02-01-2018 07:34 AM

Hi Elena,


I'm experiencing exactly the same issue. Did you have a workaround for this?




Thanks,


Harshini


0 Helpfuls