All geek questions in one place

ACS STS & Azure ACS50008 User Error: Invalid SAML Token

I have a regular STS implementation. It is currently configured as an additional authentication provider in Azure ACS. I have a relying party website that successfully authenticates through ACS (Windows Live, Google, etc.). However, whenever I try to log in using my custom STS, I always get error 401.

  • Error code ACS20001: An error occurred while processing the login response in WS-Federation.
  • Error code ACS50008: SAML token is not valid.

I searched through the forums, but in my case I no longer get the error details and don’t know how to do this and fix it.

My STS is currently in beta mode and can be found here: metadata .

If anyone has suggestions or would like to try, please contact me by email and I will open a demo login for my custom provider.

Note: The case is different from the similar question found here , since my data on internal exceptions does not indicate any reason.

UPDATE: check the discussion in this thread for additional information and useful data extracted from the violinist.

Thanks in advance,

Konstantinos

+4
source share
2 answers

I finally figured this out with ms support on Azure.

It seems that the β€œACS50008: SAML token is invalid” error is quite general and usually in the internal exception there is more information that does not end on the error screen. Why this happens is still a mystery to me.

Therefore, for all who were in my position, I nailed two possible reasons for this.

  • Reason: client time does not correspond to ACS time, namely: NotBefore below - this is the future time when viewing ACS. Action: <saml:Conditions NotBefore="...." NotOnOrAfter="...."> If this is the case, you can try to set the lifetime (now - buffer time, such as 5 minutes), now + 1 hour.
  • Reason: hidden internal exception that can only be seen with ms support using your error trackingId.

Microsoft.cloud.accesscontrol.common principal named "https://login.mydomain.com/" unknown principal.

In my case, the main name should not contain a slash at the end. We changed it from https://login.mydomain.com/ to https://login.mydomain.com and the error went away!

+3
source

You can always create a support request with Microsoft and ask for help: https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn

+1
source

Source: https://habr.com/ru/post/1396193/

More articles:


All Articles