cancel
Showing results for 
Search instead for 
Did you mean: 

Hybris 5.7.2 integration with ADFS2.0 encryption error

Former Member
0 Kudos

We are using Hybris5.7.2 with ADFS 2.0 (on AWS) . I understand that Hybris Spring SAML supports currently only SHA-1 as hash algorithm, but my requirement is using SHA-256. If I try configure only in ADFS for SHA-1, it doesn't work. How do I do something with samlsinglesignon extension to send SAML token with SHA-256 encryption ? Your help is greatly appreciated. Using default SHA-1 encryption from Hybris gives the following error in the ADFS 2.0 logs. Microsoft.IdentityServer.RequestFailedException: No strong authentication method found for the request from urn:Ssoextension:hybris:De. at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) with sha1 it gives If I configure ADFS2.0 for SHA-1 it gives the follwoing error in ADFS2.0 logs


Encountered error during federation passive request. Additional Data Protocol Name: Saml Relying Party: urn:Ssoextension:hybris:De Exception details: Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)   Encountered error during federation passive request. Additional Data Protocol Name: Saml Relying Party: urn:Ssoextension:hybris:De Exception details: Microsoft.IdentityServer.RequestFailedException: No strong authentication method found for the request from urn:Ssoextension:hybris:De. at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


Former Member
0 Kudos

I haven't gone deep into hybris SAML documentation yet. Please check if http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#config... serves your purpose

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member

We have the same issue in 1811.2 it still sends SHA1 🙂 It looks SAP doesn't care about essential functionalities and their own bugs and misconfigurations, but instead invest in Spartacus and other weird things.

0 Kudos

Same here! Would be great a response from SAP 😉