SAML authentication fails with error MSIS7075

It looks like signedsamlrequests=true is configured but you are not sending a signed SAML request to AD FS.

When you run below command does it return TRUE?

(get-adfsproperties).signedsamlrequestsrequired

If yes, then use below command to turn it off and test again.

set-adfsproperties -signedsamlrequestsrequired $false

Ideally you should configure RPIdentifier app to send signed requests and then configure the RP trust with details of the certificate used by RPIdentifier to sign requests.

P.S. Your AD FS service account should not be privileged and need not be. Just a normal user account in AD will suffice. No need to be a member of any group other than domain users.

Remove the service account's membership from

•Administrators •Domain Admins •Domain Controllers •Enterprise Admins •Group Policy Creator Owners •Schema Admins

Your RP identifier only really needs to know about the token signing certificate used by AD FS. I am not sure what you meant by "Encryption". If the token signing cert is changed (by auto cert rollover or otherwise) you need to update RP identifier side with details of the new token signing cert from AD FS. Similarly if the RPIdentifier side certs change, the RP trust on AD FS must be updated.

If your app expects AD FS to send assertions encrypted then the RPIdentifier needs to supply a cert to be used for encryption. This will be configured on the RP trust at the AD FS side. Note the cert is provided by RPIdentifier.