Follow
Troubleshooting ADFS Configuration Issues
Before using ADFS, you should be able to establish a successful test connection. This article outlines how to troubleshoot specific error messages that may occur as you establish a test connection to ADFS.
 NOTE If you establish a successful test connection and you are still experiencing issues, you might have incorrect attribute mappings or issues with the federation IDs. Contact customer support with questions.
 
SAML 2.0 Error: Primary StatusCode

 

Cause 1: Secure hash algorithm is set to SHA-256
 
Solution
  1. In Windows, click Start > Administration > ADFS 2.0 Management.
    The ADFS 2.0 Management dialog box is displayed.
  2. Select Trust Relationship > Relying Party Trusts in the left-hand pane.
  3.  Right-click on the relying party trust related to Workfront, then select Properties.
  4.  Click on the Advanced tab, then select SHA-1 from the Secure hash algorithm drop-down menu.
 
Cause 2: ADFS Signing Certificate is about to expire and has been replaced by a new Certificate with overlapping dates
 
Solution
The Workfront SSO Setup Page lists the certificate expiration date. If the certificate is about to expire, you need to manually pull the New Signing Certificate from the ADFS Server:
  1. In Windows, click Start > Administration > ADFS 2.0 Management.
    The ADFS 2.0 Management dialog box is displayed.
  2. Select Trust Relationship > Relying Party Trusts in the left-hand pane.
  3. Right-click on the relying party trust related to Workfront, and select Properties.
  4. Click on the Signature tab.
  5. Click on the name of the Signing Certificate, and click View.
  6. Click Copy to File..., and select Next.
  7. Select Base-64 encoded x.509 (CER), and click Next.
  8. Specify the file name, and click Next.
  9. Click Finish.
  10. In Workfront, navigate to Setup > System > Single Sign-On (SSO) and manually upload the Signing Certificate.
Cause 3: Certificate revocation check is failing

Solution
Run the following PowerShell Commands replacing domain with their Domain:
  1. In Windows, click Start > Administrative Tools > Windows Powershell Modules.
  2. In the Powershell window, type:
    Set-ADFSRelyingPartyTrust -TargetIdentifier "DOMAIN.my.workfront.com/SAML2" -SigningCertificateRevocationCheck None 
    1. The "DOMAIN.my.workfront.com/SAML2" will be the identifier name of your relying party trust as displayed int he ADFS Management console.
  3. Then run
    Set-ADFSRelyingPartyTrust -TargetIdentifier "DOMAIN.my.workfront.com/SAML2" -EncryptionCertificateRevocationCheck None 

SAML 2.0 Error: User Identifier Not Found
 
Cause: Claims on the ADFS server are incorrect
 
Solution
On the ADFS server, make sure there is a claim for name ID:
  1. In Windows, click Start > Administration > ADFS 2.0 Management.
    The ADFS 2.0 Management dialog box is displayed.
  2. Select Trust Relationship > Relying Party Trusts in the left-hand pane.
  3. Right-click on the relying party trust related to Workfront, and select Edit Claim Rules.
  4. Verify the claim has an Outgoing Claim Type of Name ID.
 
Could not validate XML digital signature
 
Cause 1: The certificate is incorrect
 
Solution
Manually retrieve the Signing Certificate from the ADFS Server:
  1. In Windows, click Start > Administration > ADFS 2.0 Management.
    The ADFS 2.0 Management dialog box is displayed.
  2. Select Trust Relationship > Relying Party Trusts in the left-hand pane.
  3. Right-click on Relying Party Trust, and select Properties.
  4. Click on the Signature tab.
  5. Click on the name of the Signing Certificate, and click View.
  6. Click Copy to File..., and select Next.
  7. Select Base-64 encoded x.509 (CER), and click Next.
  8. Specify the file name, and click Next.
  9. Click Finish.
  10. In Workfront, navigate to Setup > System > Single Sign-On (SSO) and manually upload the Signing Certificate.

Cause 2: The certificate is signed using DSA when Workfront is expecting an RSA signature

Solution

Recreate the certificate and use the RSA signature instead of the DSA.

Cause 3: XML Data is incorrect

Solution

Re-export and re-import the XML metadata from the ADFS management system.

Cause 4: The request could not be performed due to an error on the SAML side

Solution

Contact your SAML provider.

 
This article last updated on 2018-02-13 17:21:06 UTC