Share via

AADB2C90168: The HTTP-Redirect request does not contain the required parameter 'Signature' for a signed request.

Dennis Cabilan 20 Reputation points
2025-03-07T05:34:06.4466667+00:00

Hi Team,

We are configuring a SAML Identity provider following the steps on this documentation:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy

When we click the external IdP button for the SAML sign-in, we get the error;
AADB2C90168: The HTTP-Redirect request does not contain the required parameter 'Signature' for a signed request.

This is the Claims Provider in my Extensions.xml

<ClaimsProvider>
            <Domain>theevolvedgroup.com</Domain>
            <DisplayName>TEGroup</DisplayName>
            <TechnicalProfiles>
                <TechnicalProfile Id="TEGroup-SAML2">
                    <DisplayName>TEGroup</DisplayName>
                    <Description>Login with your SAML identity provider account</Description>
                    <Protocol Name="SAML2" />
                    <Metadata>
                        <Item Key="PartnerEntity">https://login.microsoftonline.com/2cc974a9-f2ac-4a1d-92dc-e76b757eb9fd/federationmetadata/2007-06/federationmetadata.xml?appid=79f94c59-bb36-4115-beb6-54cd738b0e13</Item>
                        <Item Key="IssuerUri">https://humanlistening.b2clogin.com/humanlistening.onmicrosoft.com/B2C_1A_signup_signin</Item>
                        <!-- Add this to explicitly set POST binding -->
                        <Item Key="ProtocolBinding">urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</Item>
                        <Item Key="IdpInitiatedProfileEnabled">false</Item>
                        <Item Key="WantsSignedRequests">true</Item>
                        <Item Key="AuthenticationRequestsSigned">true</Item>
                        <Item Key="XmlSignatureAlgorithm">Sha256</Item>
                        <Item Key="ResponsesSigned">true</Item>
                        <Item Key="WantsSignedAssertions">true</Item>
                    </Metadata>
					<CryptographicKeys>
						<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
					</CryptographicKeys>
                    <OutputClaims>
                        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="assertionSubjectName" />
                        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="first_name" />
                        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="last_name" />
                        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="http://schemas.microsoft.com/identity/claims/displayname" />
                        <OutputClaim ClaimTypeReferenceId="email" />
                        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="theevolvedgroup.com" />
                        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
                    </OutputClaims>
                    <OutputClaimsTransformations>
                        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
                        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
                        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
                        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
                    </OutputClaimsTransformations>
                    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp" />
                </TechnicalProfile>
            </TechnicalProfiles>
        </ClaimsProvider>

        <ClaimsProvider>
            <DisplayName>Session Management</DisplayName>
            <TechnicalProfiles>
                <TechnicalProfile Id="SM-Saml-idp">
                    <DisplayName>Session Management Provider</DisplayName>
                    <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                    <Metadata>
                        <Item Key="IncludeSessionIndex">false</Item>
                        <Item Key="RegisterServiceProviders">false</Item>
                        <Item Key="WantsSignedRequest">true</Item>
                        <Item Key="BindingType">HttpPost</Item>
                    </Metadata>
                </TechnicalProfile>
            </TechnicalProfiles>
        </ClaimsProvider>

and this is the setup for Azure AD Single Sign-On with SAML:
User's image SAML Certificate in Azure AD is also set to Active.

We checked on the PartnerEntity metadata and it returns the expected xml.

We would appreciate your help to resolve this issue.

Thanks

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
800 questions
0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.