SSO Login Failure When Renewing the SP Certificate Through ADFS as IDP
Feedback?
SSO login failure when renewing the SP certificate through ADFS as IDP.
SSO failure when updating new SP certificate on IdP (ADFS).
Error : Invalid status code in response.
Steps to investigate:
- Capture a SAML trace to find the SAML response:
- Add the SAML Message Decoder plugin to the browser:
For Chrome: https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=en
For Firefox: https://addons.mozilla.org/en-US/firefox/addon/saml-message-decoder-extension/ - Open the plugin and click on Copy this message.
- Open Notepad++, to install Click here.
- Paste the message to find the SAML response in XML language directly.
- Check if the attributes are present in the SAML response from IdP.
- If you do not see any attributes, it means that Webex is not receiving them from IdP. Hence, the issue needs to be investigated from IdP end.
- To check the ADFS Webex relying on party configuration, Click here.
- When configuration looks fine, check the event viewer logs.
- Check for ADFS errors in Windows logs:
- In the Windows logs, look for ADFS event log error code 364. The event details identify an invalid certificate. In these cases, the ADFS host is not allowed through the firewall on port 80 to validate the certificate.
- Allow IdP access to port 80 through a firewall to the internet, so it can perform CRL checks.
- If the port is open, then follow up with Microsoft and its firewall.
- If port 80 isn't open on the firewall or CRL checks isn't working, then disable CRL.
- On ADFS server > Click on Event Viewer > Applications > ADFS > Admin > search for the error log at the time-stamp you replicated the login. If you see the following error:
Error: "Encountered error during federation passive request.
Additional Data
Protocol Name: Saml
Relying Party: https://idbroker.webex.com/39xxxx4ea-4xxe-416e-bd4f-4cxxxxxxx
Exception details:
Protocol Name: Saml
Relying Party: https://idbroker.webex.com/39xxxx4ea-4xxe-416e-bd4f-4cxxxxxxx
Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust 'https://idbroker.webex.com/39xxxx4ea-4xxe-416e-bd4f-4cxxxxxxx' identified by thumbprint '754B9208F1F75C5CC962750F3675C5D129471D80' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult1.End(IAsyncResult result) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList1& identityClaimSet, List1 additionalClaims) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List1 additionalClaims)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)"
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)"
Here is the resolution:
- Open Powershell on ADFS as admin and run the command:
Get-AdfsRelyingPartyTrust -Identifier 'https://idbroker.webex.com/39xxxx4ea-4xxe-416e-bd4f-4cxxxxxxx' | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None
Note:
- Make sure to enter the identifier URL in quotes and the identifier URL can be found in the error message, copy and paste it.
- Webex for Government (FedRAMP) Control Hub must use https://admin-usgov.webex.com/.
OR
- Open Powershell on ADFS as admin and run the command:
Get-AdfsRelyingPartyTrust -Name "Cisco Webex" | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None
Note:Make sure to enter the name of the replying party trust same as the one customer created on his ADFS and in double-quotes.
- Test SSO on the Control hub to verify.
Was this article helpful?