I am integrating Web Help Desk with ADFS version 3 and a Web Application Proxy front end for external user authentication.
Internal users can successfully authenticate to Web help desk using the internal ADFS server.
However, when an external user attempts to authenticate an invalid SAMLRequest query string is returned by web helpdesk to the ADFS server and an error is generated because it cannot decrypt the string returned.
The Web Application Proxy (WAP) is sitting in our DMZ and is configured for authentication passthrough. When a user connects to the external FQDN they are redirected by Web Help Desk to authenticate with ADFS, the user then authenticates and is redirected back to WHD, however as soon as this happens WHD sends the user back to ADFS and an error is displayed. The SAMLRequest string is included in the URL and when I attempt to decrypt this the string is an invalid cipher text. In ADFS event logging error 364 is logged indicating the string is an invalid base-64 string.
The ADFS trust has been tested with both SHA-1 and SHA-256 encryption configured. The certificate being used by WHD, ADFS and WAP are all trusted and were created by GoDaddy.
Any ideas why internal users would be able to authenticate but external users are facing this invalid string error?