How to Fix Error ACS50008
Published: July 16, 2012
Updated: February 21, 2014
Applies To: Windows Azure
This topic provides information about possible causes of and solutions for the ACS50008 error. For more information about ACS error codes, see ACS Error Codes.
The ACS50008 typically appears as part of a comprehensive error message, such as the following. The message can appear in a web browser, such as in a custom web application single sign-on scenario, or in the HTTP trace, such as when using single sign-on with SharePoint.
An error occurred while processing your request. HTTP Error Code: 401 Message: ACS20001: An error occurred while processing a WS-Federation sign-in response. Inner Message: ACS50008: SAML token is invalid. Trace ID: 903f515f-3196-40c9-a334-71277700aca6 Timestamp: 2012-05-31 10:16:16Z
|The information below can help you fix an ACS50008 error. Sometimes ACS50008 errors are accompanied by another ACS error code that indicates the exact cause of the error, such as ACS50017, which indicates that the certificate is unable to chain to a trusted root.|
ACS returns ACS50008 when the SAML token that the federated STS provides to ACS does not satisfy ACS token requirements. Possible causes include the following:
The signing certificate specified in the federation metadata of the federated STS does not match the signing key of the SAML token (assertion). This typically occurs when the federation STS signing certificate is updated, but the federated metadata provided to ACS matches the previous signing certificate. To update the federation metadata in the ACS portal, click Identity providers, click a WS-Federation identity provider, and use the features in the WS-Federation metadata section to update the metadata.
The Issuer name in the SAML token does not match the EntityID in the federation metadata. The EntityID and Issuer name fields much match exactly, including any ending forward slash in a metadata URL. To correct the problem, update the STS so that it generates updated federation metadata or update the SAML token. Manually changing the federation metadata XML will not work.
The validity period in the SAML token issued by the federated STS is set to the past or the future. This can occur when the system time of the operating system on which the federated STS runs is inaccurate. To fix the problem, increase the token life time setting on the federated STS or reset the system time on the operating system and assure that it stays accurate. The Pool.ntp.org project includes a method for assuring the accuracy of the system time. For more information, see http://www.pool.ntp.org/en/use.html.