Resources For IT Professionals
Post an article
Wikis - Page Details
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  AD FS 2.0: The Admin Event Log Contains Error Event 320. "MSIS1010: Signed SAML message must have Destination URI specified."

AD FS 2.0: The Admin Event Log Contains Error Event 320. "MSIS1010: Signed SAML message must have Destination URI specified."

AD FS 2.0: The Admin Event Log Contains Error Event 320. "MSIS1010: Signed SAML message must have Destination URI specified."

Table of Contents



Symptoms


 The following event is logged in the AD FS 2.0/Admin event log:

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          6/15/2011 6:06:40 PM
Event ID:      320
Task Category: None
Level:         Error
Keywords:      AD FS
User:          S-1-5-21-1649024403-837180741-839522115-31657
Computer:      ADFS
Description:
The verification of the SAML message signature failed.
Message issuer: http://sso.contoso.com/SSO/
Exception details:
MSIS1010: Signed SAML message must have Destination URI specified.

This request failed.

User Action
Verify that the message issuer configuration in the AD FS configuration database is up to date.
Configure the signing certificate for the specified issuer.
Verify that the issuer's certificate is up to date.
Verify the issuer and server message signing requirements.



Cause



A Relying Party Trust is sending a SAML 2.0 SamlRequest which is digitally signed, but the SamlRequest does not contain the required Destination URI

From SAML 2.0 specification, SAMLBind:

3.4.5.2 Security Considerations

The presence of the user agent intermediary means that the requester and responder cannot rely on the

transport layer for end-end authentication, integrity and confidentiality. URL-encoded messages MAY be

signed to provide origin authentication and integrity if the encoding method specifies a means for signing.

If the message is signed, the Destination XML attribute in the root SAML element of the protocol

message MUST contain the URL to which the sender has instructed the user agent to deliver the

message. The recipient MUST then verify that the value matches the location at which the message has

been received.



Resolution


The Relying Party Trust, identified in the event by Message issuer, must be configured to either send the Destination URI with the SamlRequest or be configured to not digitally sign the SamlRequest.



, , , , , , , , , , , , , [Edit tags]
Leave a Comment
  • Please add 4 and 7 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
Page 1 of 1 (1 items)