saml with an ADFS idp. rutime error, the sp non-signed metadata was imported without problems in adfs idp but i'm facing a problem at run time:

after idp authentication, on succesfull authentication, on the idp page i got a trust error like this:

The request specified an Assertion Consumer Service URL
'https://test.it/au/login' that is not  configured on the relying party     'microsoft:identityserver:test.it'.
Assertion Consumer Service URL: https://test.it/au/login  Relying party:     microsoft:identityserver:test.it
that is a prefix match of the AssertionConsumerService URL     'https://test.it/au/login' specified by the request.
This request failed.

MY SP METADATA are like this:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     ID="test.it"
                     entityID="test.it">
    <md:SPSSODescriptor AuthnRequestsSigned="false"
                        WantAssertionsSigned="false"
                        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                         Location="https://test.it:443/au/login"
                                         index="0"
                                         isDefault="true"/>

I may add: if i start auth process from /adfs/ls/idpinitiatedsignon.htm and i choose my sp provider (so i excluded problems on the saml2p:AuthnRequest) a got a post redirect to https://test.it/au/lo gin" I wonder how is that my endpoint on idp has blanck spaces on it.

I found this article that seems to explain http://social.technet.microsoft.com/wiki/contents/articles/4039.ad-fs-2-0-the-request-specified-an-assertion-consumer-service-url-that-is-not-configured-on-the-relying-party.aspx in short it says:

There are two options:

1. Configure the RP so that AssertionConsumerService is not specified in the AuthnRequest

2. Configure the RP to send a AssertionConsumerService value in the AuthnRequest which matches the AssertionConsumerService value on the Endpoints tab of the RP Trust in AD FS 2.0.

what do you think

if i generate metadata with entityID="https://test.it:443/au/login" instead of entityID="test.it" could avoid this security issue ?

or should i remove the AssertionConsumerService in saml:request (is it possible by configuration)?

or should idp manager do better configuration?

Not sure if it's the same issue you're facing, but on my end with the same error, the problem was that I hadn't added my assertion endpoint on my service provider as a SAML Assertion Consumer Endpoint in AD FS on the identity provider.

Worth a shot, anyway :) In mmc on the IdP, add the AD FS snap-in. Then find your SP config under AD FS > Relying Party Trusts. Mine is called Test SSO. Right-click it, choose Properties, then on the Endpoints tab, check that your service provider assertion endpoint URL is listed under SAML Assertion Consumer Endpoints.

My working configuration was

Endpoint type:        SAML Assertion Consumer
Binding:              POST
Default:              Yes
Index:                0
Trusted URL:          https://1337.local/adfs/ls

And Trusted URL was my assertion endpoint on the SP, i.e. where ADFS posts the SAML payload once authenticated.

I had a similar Problem. I followed the advice fro @DanielSmedegaardBuus and found no assertion Consumers. In my metadata.xml which i imported into adfs the service provider urls were http. If you try to manually add a link with http it says "only https allowed". and it seems that when it was importing the xml it just ignored those http urls. so i had to configure my service provider to use https and then it worked.