ADC SAML Error : “Malformed Assertion sent to NetScaler; Please contact your administrator”
Article ID: CTX237335
Updated On:
Description
End user getting the error message : “Malformed Assertion sent to NetScaler; Please contact your administrator” after authenticating at IDP (ADFS v3)
Resolution
> Check the SAML response using the SAML Tracer
> In this specific case, the SAML response was “Responder”, instead of "Success". "Responder" is a generic message and indicates a failure. Because of this we also didn't see any NameID being returned from IDP. ADC behavior in this case is expected to mark it as Malformed :
> In such cases, we should check the error logs on IDP (ADFS) side to determine the actual cause (possible cert/algo/binding type mismatch).
> In this specific case we found that the ADFS was not trusting the relying party's certificate i.e. the certificate used on the ADC VIP (www.xyz.com) and was showing the following error message :
"The signing certificate of the claims provider trust "https://www.xyz.com" identified by thumbprint 'xxxxxxxxxxxxxxxxxxxxxx' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted"
> To fix this we have to make the ADFS trust this certificate. If you’re using an internal Certificate Authority, or if you are not exposing your internal CA’s CRL’s, then you need to explicitly disable the Certificate Revocation List checking of your Relying Party. Launch up a PowerShell console (Administrative Privileges are required; don’t forget “Run as Administrator”) and issue the following command:
> The above point is also mentioned in the following blog :
https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/
> In this specific case, the SAML response was “Responder”, instead of "Success". "Responder" is a generic message and indicates a failure. Because of this we also didn't see any NameID being returned from IDP. ADC behavior in this case is expected to mark it as Malformed :
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status>
</samlp:Response>
> In such cases, we should check the error logs on IDP (ADFS) side to determine the actual cause (possible cert/algo/binding type mismatch).
> In this specific case we found that the ADFS was not trusting the relying party's certificate i.e. the certificate used on the ADC VIP (www.xyz.com) and was showing the following error message :
"The signing certificate of the claims provider trust "https://www.xyz.com" identified by thumbprint 'xxxxxxxxxxxxxxxxxxxxxx' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted"
> To fix this we have to make the ADFS trust this certificate. If you’re using an internal Certificate Authority, or if you are not exposing your internal CA’s CRL’s, then you need to explicitly disable the Certificate Revocation List checking of your Relying Party. Launch up a PowerShell console (Administrative Privileges are required; don’t forget “Run as Administrator”) and issue the following command:
PS C:\Windows\system32> Set-AdfsRelyingPartyTrust -TargetName “sp-adfs.rocks.local” -SigningCertificateRevocationCheck”None” -EncryptionCertificateRevocationCheck “None
Additionally, make sure that the Federation Service is not encrypting claims:PS C:\Windows\system32> Set-AdfsRelyingPartyTrust -TargetName “sp-adfs.rocks.local” -EncryptClaims $false
Note that this is explicitly different from ADFSv2, and SAML will fail with a “Malformed Assertion” error if your certificate revocation checking is enabled.> The above point is also mentioned in the following blog :
https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/
Problem Cause
ADFS (IDP) is not trusting the relying party's certificate i.e. the certificate used on the NetScaler VIPIssue/Introduction
ADC (SP) SAML integration with ADFS v3 (IDP) , getting error “Malformed Assertion sent to NetScaler; Please contact your administrator”
Additional Information
https://support.citrix.com/article/CTX207196
https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/
https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/
Was this article helpful?
Yes
No
Powered by
