AD FS event 320

Troubleshoot problems where your AD FS event logs show error 320.

Example debugging data

AD FS event log shows the following error:

The verification of the SAML message signature failed.
Message issuer: MyVaultIdentifier
Exception details:
MSIS7086: The relying party trust 'MyVaultIdentifier' indicates that authentication requests sent by this relying party will be signed but no signature is present.

Analysis

Verify that SignedSamlRequestsRequired is false for your AD FS Relying Party Trust for Vault:

Get-AdfsRelyingPartyTrust -Name "<ADFS_VAULT_POLICY_NAME>"

For example:

Get-AdfsRelyingPartyTrust -Name "Vault"

Solution

Set SignedSamlRequestsRequired to false:

$ Set-AdfsRelyingPartyTrust                 `
    -TargetName "<ADFS_VAULT_POLICY_NAME>"  `
    -SignedSamlRequestsRequired $false

For example:

$ Set-AdfsRelyingPartyTrust `
    -TargetName "Vault"     `
    -SignedSamlRequestsRequired $false

Additional resources

• SAML auth method Documentation
• SAML API Documentation
• Set up an AD FS lab environment