Mattermost, Inc.

ADFS Saml 2 setup Identity Provider response is not encrypted

I’m having an issue where some of the time some of my users are getting the following error:
“SAML login was unsuccessful as the Identity Provider response is not encrypted. Please contact your System Administrator”

I don’t get it every time though, and I even went back and deleted all the mattermost configurations in ADFS and set it back up again to be sure I didn’t miss something in the steps provided in the documentation. Everything looks right so far as I can tell, and some of my users never see this message. However there are a few who cannot ever login and get the message every time, and others that only get it sometimes. I can’t see any rhyme or reason as to who gets the message and who doesn’t.

I’ve been googling around and haven’t found anything related so if anyone has any idea where to start looking for more clues I’d appreciate it.

Hi @Brian,

  1. What Mattermost server version are you on?
  2. What OS and version are you on?
  3. What device are you seeing this on?
  4. Do you have access to the server logs and configuration, and can you share them?
  5. What IdP are you using?
  6. Can you list the attributes that you have on your IdP and in the Mattermost configuration?
  7. Do you know which identity provider you used to connect SAML to Mattermost?
  8. If you set it up, can you confirm all attributes, including Email Attribute and Username Attribute, are correct in both the Identity Provider configuration and in System Console > SAML, and that they match? It can also be a misspelled attribute like username is not the same as Username nor Firstname equals to FirstName.

Hi @Brian

I would be checking that in ADFS you imported the public part of the SP SAML certificate in the encryption tab.

If you are in a cluster check that all servers have the same config.json settings in SAML mainly EnableEncryptionas if users hit different servers and the value is different they will not always get the error.

Also did you run the

Set-ADFSRelyingPartyTrust -TargetName -SamlResponseSignature “MessageAndAssertion”

That command sets ADFS to require encryption from the SP and ensures it is always sent back encrypted. Don’t think it is needed for it to work but worth checking.