AD FS event 320

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

Troubleshoot problems where your AD FS event logs show error 320.

Example debugging data

AD FS event log shows the following error:

The verification of the SAML message signature failed.
Message issuer: MyVaultIdentifier
Exception details:
MSIS7086: The relying party trust 'MyVaultIdentifier' indicates that authentication requests sent by this relying party will be signed but no signature is present.

Analysis

Verify that SignedSamlRequestsRequired is false for your AD FS Relying Party Trust for Vault:

Get-AdfsRelyingPartyTrust -Name "<ADFS_VAULT_POLICY_NAME>"

For example:

Get-AdfsRelyingPartyTrust -Name "Vault"

Solution

Set SignedSamlRequestsRequired to false:

$ Set-AdfsRelyingPartyTrust                 `
    -TargetName "<ADFS_VAULT_POLICY_NAME>"  `
    -SignedSamlRequestsRequired $false

For example:

$ Set-AdfsRelyingPartyTrust `
    -TargetName "Vault"     `
    -SignedSamlRequestsRequired $false

Additional resources

• SAML auth method Documentation
• SAML API Documentation
• Set up an AD FS lab environment