I can't make SAML2 work with ADFS

I can't make SAML2 work with ADFS

by Kimber Warden -
Number of replies: 1

I'm using Moodle 3.5, SAML2 (version 2018071100) and ADFS 2.0. No matter which NameID Policy I use, I get an error that says, "Requester/InvalidNameIDPolicy." My ADFS server administrator says that the server doesn't know what to do with 2 of the endpoints given in my metadata xml


<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev.skonline.org/auth/saml2/sp/saml2-acs.php/dev.skonline.org"index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://dev.skonline.org/auth/saml2/sp/saml1-acs.php/dev.skonline.org"index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://dev.skonline.org/auth/saml2/sp/saml2-acs.php/dev.skonline.org"index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://dev.skonline.org/auth/saml2/sp/saml1-acs.php/dev.skonline.org"index="3"/>

The 2nd and 4th ones are problematic. Has anyone else gotten this to work recently or know of a solution?

I tried applying the SimpleSAMLphp patch linked at the bottom  of  this page, which is supposed to address the NameIDPolicy issue, but that just generated a new error:

SAML2 exception: Responder

More information about this error

×Debug info: #0 [dirroot]/auth/saml2/extlib/simplesamlphp/modules/saml/lib/Message.php(584): sspmod_saml_Message::getResponseError(Object(SAML2\Response))
#1 [dirroot]/auth/saml2/extlib/simplesamlphp/modules/saml/www/sp/saml2-acs.php(129): sspmod_saml_Message::processResponse(Object(SimpleSAML_Configuration), Object(SimpleSAML_Configuration), Object(SAML2\Response))
#2 [dirroot]/auth/saml2/sp/saml2-acs.php(32): require('[dirroot]...')
#3 {main}
Error code: exception
×Stack trace:
  • line 34 of /auth/saml2/sp/saml2-acs.php: saml2_exception thrown

Average of ratings: -
In reply to Kimber Warden

Re: I can't make SAML2 work with ADFS

by Leigh Satch -

Hi Kimber,  I can only add that we got SAML2 federated auth working with Moodle fairly easily and in the last 2 weeks using ADFS 3  (Windows 2012 R2).  

Can you politely suggest whether your ADFS administrator is considering an upgrade from v2 to 3 or 4 or can run side by side with 2 to compare?  Beyond this, we note v4 is what Windows 2016 delivers (has some nice improvements to make it easier) and Windows Server 2019 is in preview which may deliver ADFS v5 equivalent. 


Regards, Leigh.

Average of ratings: -