assertion not always signed
Les LaCroix
llacroix at carleton.edu
Fri Jan 13 19:13:44 EST 2017
Hi. We're using IDP 3.2.1 and are having a problem with portal.office.com.
We don't really use Office 365 much, being a GMail shop for email and
GDrive and Dropbox for cloud storage. We have very occasional use of
Office 365 for other things, and converted to federated login with Shib a
couple months ago.
The problem: when a user logged in to Shib a while back (hours) and then
goes to portal.office.com, they will sometimes fail to connect. The error
displayed from portal.office.com is:
AADSTS50008: SAML 2.0 assertion validation failed: no supported token
signature is provided.
To fix things, the user can go to another service, log out, and then go
back to portal.office.com.
I have compared the SAML responses between failing and working attempts,
using the SAML Chrome Panel. To my eye, the only significant difference in
responses is that the assertion is signed when things work and is not
signed when things do not work.
The metadata for urn:federation:MicrosoftOnline was copied from
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
I'm very far from being an expert but it looks to me like the metadata is
saying that they want assertions signed, so I'm confused as to how we are
sending unsigned assertions.
Where should I be looking next? What other info should I share? I've
captured some things but cannot seem to be able to reproduce the problem at
will.
Thanks, -Les
p.s. superficially this sounds like another thread today about missing
signatures on assertions, but the inclusions on that thread seem to show
that a signature is present and that something else is unhappy. For us the
signature is completely missing.
------------------------------
Les LaCroix | Strategic Technologist
Carleton College | 1 N. College St. | MS 3-ITS | Northfield, MN 55057
507.222.5455 | free/busy
<https://calendar.google.com/calendar/embed?src=llacroix%40carleton.edu&ctz=America/Chicago>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170113/41d062ff/attachment-0001.html>
More information about the users
mailing list