Summary

While signing in to Laserfiche Cloud with Active Directory Federation Services (AD FS), the user gets redirected to a different Laserfiche page with the following URL: acs.laserfiche.com/acs/SAML2/SSO with the error "Invalid SAMLp response. (6-27)." This occurred after setting up AD FS for Laserfiche Cloud.

Cause

The cause is that encryption was enabled for the relying party trust with Laserfiche Cloud. In this example scenario, the trusted party provides the recipient party with a certificate and private key to encrypt the assertion. However, Laserfiche does not provide this service. If you use your own signing certificate, Laserfiche cannot decrypt these assertions since it does not have the private key associated with the signing certificate. This results in a SAMLp response being posted with an EncryptedAssertion element instead of an Assertion element.

Resolution

1. Go to the AD FS Management page.
2. Click on Relying Party Trusts.
3. Find the trust corresponding to Laserfiche Cloud (https://laserfiche.com).
4. Click on the Encryption tab and remove the certificate configured.