I have setup a new Rails application using devise and devise_saml_authenticatable to authenticate against Office 365.
The login unfortunately shows following error message:
Sign in
Sorry, but we’re having trouble signing you in.
AADSTS7500522: XML element 'AuthnContextClassRef' in XML namespace 'urn:oasis:names:tc:SAML:2.0:assertion' in the SAML message must be a URI.
My config/decise.rb file looks as follows:
config.saml_create_user = true
config.saml_update_user = true
config.saml_default_user_key = :email
config.saml_session_index_key = :session_index
config.saml_use_subject = true
config.idp_settings_adapter = nil
config.saml_configure do |settings|
settings.assertion_consumer_service_url = "https://localhost:3000/users/saml/auth"
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
settings.issuer = "https://localhost:3000/saml/metadata"
settings.authn_context = ""
settings.idp_slo_target_url = "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"
settings.idp_sso_target_url = "https://login.microsoftonline.com/xxx/saml2"
settings.idp_cert_fingerprint = "E4:....."
settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"
end
and the "Reply URL (Assertion Consumer Service URL)" in the Azure configuration is set to
https://localhost:3000/users/saml/auth
Any ideas how to fix this?
Finally figured it out: All the Devise examples have
settings.authn_context = ""
set. If I set it to
settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
then the error disappears.