I am trying to connect gitlab to ADFS for single sign on(SSO).in gitlab config i have these values defined.
assertion_consumer_service_url:'https://myhost/users/auth/saml/callback',
idp_cert_fingerprint: '',
idp_sso_target_url: 'https://myadfshost/adfs/ls',
issuer: 'https://myhost',
I added a relying party trust in ADFS. and added an user to AD for authnetication . when i go to https://mygitlabhost. i get the ADFS Page with the login option. after entering the user password i get redirected to the gitlab login page with this error:
Could not authenticate you from SAML because "The status code of the response was not success, was responder".
When i check the event log of ADFS i get this error:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
https://mygitlabhost
Exception details:
Microsoft.IdentityServer.Web.UnsupportedSamlRequestException: MSIS7076: The configured passive endpoint 'https://win-i52r11kn5sa.rohit.local/adfs/ls/' is not a prefix of the incoming SAML message Destination URI 'https://myadfshost/adfs/ls'.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateIncomingSamlMessage(SamlMessage samlMessage)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Could this be because of misconfigured ssl certificates? if not the wat could be the issue?
This could be because of metadata or configuration.
Did you send the ADFS metadata URL to the SAML side?
The SAML side is configured to send to https://myadfshost/adfs/ls.
The configured ADFS endpoint is https://win-i52r11kn5sa.rohit.local/adfs/ls/.
So the SAML side should be sending to https://win-i52r11kn5sa.rohit.local/adfs/ls.