How to resolve ADFS authentication failure when Authn Signing is enabled and ADFS is not configured to handle it?
Users may experience an authentication issue with ADFS when Authn Signing is enabled in UiPath Automation Cloud, resulting in a "500 InternalServerError" message with a "Responder" status for the SAML2 response.
{"StatusCode":500,"StatusDescription":"InternalServerError","Message":"The Saml2Response must have status success to extract claims.\n Saml2 Status Code: Responder\n Saml2 Status Message: \n Saml2 Second Level Status: "}
This usually happens when ADFS is unable to properly respond to the SAML request, in our scenario, it is because the request was signed. This can be observed in the screenshot below from the SAML tracer, where it is possible to view the SignedInfo section. If this is present, the request is signed:
To resolve this issue, ensure that the X.509 signing certificate present in the highlighted section above is imported into the ADFS management console and the correct hash algorithm is selected. Follow the steps below:
- Import the X.509 signing certificate of the Service Provider into the ADFS management console. You can find the management console under the "Administrative Tools" in your ADFS server.
- In the ADFS management console, navigate to the Relying Party Trusts section.
- Locate and right-click on the Service Provider relying party trust, and click on "Properties."
- Go to the "Advanced" tab.
- Change the setting "Secure hash algorithm" to the correct algorithm used by the Service Provider, in this case, it should be SHA-256 based on the SignatureMethod section.
- Click on "Apply" and "OK" to save the changes.
After making the changes the authentication should go through since the ADFS is now properly configured to handle the Signed Request.