forked from pac4j/pac4j
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README-ADFS.txt
48 lines (32 loc) · 2.66 KB
/
README-ADFS.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Using pac4j against Microsoft ADFS 2.0 / 3.0
--------------------------------------------
Follow these rules to successfully authenticate using Microsoft ADFS 2.0 / 3.0.
1. Entity ID
------------
Always specify an explicit Entity ID that does not contain any question mark. By default, pac4j uses the same Entity ID as the
AssertionConsumerService location, which contains the client's name as a parameter after a question mark. Unfortunately ADFS does not work
well with such IDs and starts an infinite redirection loop when A SAML message with such a message arrives.
This property is supported since pac4j 1.6.0.
Don't forget to change your metadata accordingly!
2. Maximum authentication time
------------------------------
pac4j has the default maximum time set to 1 hour while ADFS has it set to 8 hours. Therefore it can happen that ADFS sends
an assertion which is still valid on ADFS side but evaluated as invalid on pac4j side.
You can see the following error message:
org.pac4j.saml.exceptions.SAMLException: Authentication issue instant is too old or in the future
There are two possibilities how to make the values equal:
- Change the value in ADFS management console in the trust properties dialog.
- Change the value on pac4j side.
3. Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
---------------------------------------------------------------------------------
You must install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files into your JRE/JDK
running pac4j. If you don't do it, you may encounter errors like this:
ERROR [org.opensaml.xml.encryption.Decrypter] - <Error decrypting the encrypted data element>
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
ERROR [org.opensaml.xml.encryption.Decrypter] - <Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver>
ERROR [org.opensaml.saml2.encryption.Decrypter] - <SAML Decrypter encountered an error decrypting element content>
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files can be downloaded from Oracle's Java Download site.
4. Error "Subject NameID, BaseID and EncryptedID cannot be all null at the same time if there are no Subject Confirmations."
----------------------------------------------------------------------------------------------------------------------------
Make sure your SP declaration in ADFS Server has been configured to return "Name ID" attribute in its SAML responses.
This attribute is required by SAML pac4j but not included by default by ADFS.