mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-23 23:51:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
85 lines
2.2 KiB
Plaintext
85 lines
2.2 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: "Troubleshoot ADFS and SAML: AD FS event 320"
|
|
description: >-
|
|
Fix connection problems in Vault due AD FS event 320 when using Active
|
|
Directory Federation Services (ADFS) as an SAML provider.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# AD FS event 320
|
|
|
|
Troubleshoot problems where your AD FS event logs show error 320.
|
|
|
|
|
|
|
|
## Example debugging data
|
|
|
|
AD FS event log shows the following error:
|
|
|
|
<CodeBlockConfig hideClipboard highlight="1,4">
|
|
|
|
```shell-session
|
|
The verification of the SAML message signature failed.
|
|
Message issuer: MyVaultIdentifier
|
|
Exception details:
|
|
MSIS7086: The relying party trust 'MyVaultIdentifier' indicates that authentication requests sent by this relying party will be signed but no signature is present.
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
|
|
|
|
|
|
## Analysis
|
|
|
|
Verify that `SignedSamlRequestsRequired` is `false` for your AD FS Relying Party
|
|
Trust for Vault:
|
|
|
|
```powershell
|
|
Get-AdfsRelyingPartyTrust -Name "<ADFS_VAULT_POLICY_NAME>"
|
|
```
|
|
|
|
For example:
|
|
|
|
<CodeBlockConfig hideClipboard>
|
|
|
|
```powershell
|
|
Get-AdfsRelyingPartyTrust -Name "Vault"
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
|
|
|
|
|
|
## Solution
|
|
|
|
Set `SignedSamlRequestsRequired` to `false`:
|
|
|
|
```powershell
|
|
$ Set-AdfsRelyingPartyTrust `
|
|
-TargetName "<ADFS_VAULT_POLICY_NAME>" `
|
|
-SignedSamlRequestsRequired $false
|
|
```
|
|
|
|
For example:
|
|
|
|
<CodeBlockConfig hideClipboard>
|
|
|
|
```powershell
|
|
$ Set-AdfsRelyingPartyTrust `
|
|
-TargetName "Vault" `
|
|
-SignedSamlRequestsRequired $false
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
|
|
|
|
|
|
## Additional resources
|
|
|
|
- [SAML auth method Documentation](/vault/docs/auth/saml)
|
|
- [SAML API Documentation](/vault/api-docs/auth/saml)
|
|
- [Set up an AD FS lab environment](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/set-up-an-ad-fs-lab-environment)
|