we're using PicketLink 2.1.6 which acts as IdP in WS-Fed with ADFS (IdPproxy) as bearer. The latter transforms WS-Fed into SAML2 and passes it to RP.
The problem is that SAML2 requires Subject Confirmation Data (SAML 2.0 spec chap. 220.127.116.11). The error that we're getting on ADFS is:
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data Exception details: System.IdentityModel.Tokens.SecurityTokenException: MSIS3121: SubjectConfirmationData element was missing in received token. at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ValidateRequestProperties(Saml2SecurityToken token) at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest) at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
We could have migrated to SAML 1.1 where SubjectConfirmationData is nonexistent, but ADFS does not support it.
Code in ADFS which causes it:
(token.Assertion == null) || (token.Assertion.Subject == null)
(token.Assertion.Subject.SubjectConfirmations.Count != 1) || (token.Assertion.Subject.SubjectConfirmations.SubjectConfirmationData == null)
throw new SecurityTokenException(Microsoft.IdentityServer.Service.SR.GetString("MSIS3121", new object));
Saml2SubjectConfirmation confirmation = token.Assertion.Subject.SubjectConfirmations;
if ((confirmation.Method == null) || !string.Equals(confirmation.Method.ToString(), Saml2Constants.ConfirmationMethods.Bearer.ToString(), StringComparison.Ordinal))
throw new SecurityTokenException(Microsoft.IdentityServer.Service.SR.GetString("MSIS3045", new object));
The problem seems to be in lines 153 to 166 of saml20tokenprovider.java in PicketLink.
I've been looking for a bug report or fix, but haven't seen this problem anywhere else ?
Thank you for help