Azure AD ADFS gving Error "AADB2C90168: The HTTP-Redirect request does not contain the required parameter 'Signature' for a signed request."

Question

I am trying to use the following article to get ADFS working with Azure AD B2C in the start almost 3 weeks ago it worked and now I am getting this error.

AzureAD B2C ADFS Configuration

The Error I get after providing the credentials into ADFS.

AADB2C90168: The HTTP-Redirect request does not contain the required parameter 'Signature' for a signed request.

I removed my Custom policy and took on a vanilla policy from starter pack and configured ADFS but had the same result. There is no guidance on AADB2C90168 on the Internet on this error.

For info The ADFS is using a Public certificate and AzureAD B2C is using a self-signed certificate (as described in Pre-Requisites section).

Any help will be appreciated.

Answer 1

Turning off response signature checking weakens security, so probably not a good idea.

Azure B2C is expecting both the message and the assertion to be signed. By default, ADFS only signs the Assertion.

Run this on your ADFS Server:

Set-AdfsRelyingPartyTrust -TargetName <RP Name> -SamlResponseSignature MessageAndAssertion

Answer 2

In your technical profile for ADFS, add the following key <Item Key="ResponsesSigned">false</Item> to the metadata to see if this corrects your issue or not?

<TechnicalProfiles>
    <TechnicalProfile Id="MyADFS-SAML2">
      <DisplayName>MyADFS</DisplayName>
      <Description>Login with your MyADFS account</Description>
      <Protocol Name="SAML2"/>
      <Metadata>
        <Item Key="RequestsSigned">false</Item>
        <Item Key="ResponsesSigned">false</Item>
        <Item Key="WantsEncryptedAssertions">false</Item>
        <Item Key="PartnerEntity">https://sts.myadfs.com/FederationMetadata/2007-06/FederationMetadata.xml</Item>
      </Metadata>
      ...
 </TechnicalProfile>
</TechnicalProfiles>