ISSUE
In a system where OWA is secured by DualShield MFA via the DualShield IIS Agent, after the user has been successfully verified by DualShield SSO, the browser shows the error "Invalid SAML Response: Signature wrapping attack, wrong URI"
CAUSE
In the DualShield Authentication Server, there is a corresponding SAML Service Provider for OWA, which is created automatically by the DualShield IIS Agent when OWA is enabled with MFA:
If both the options "Sign on SAML Assertion" and "Sign on SAML Response" are enabled, then you will get the error "Invalid SAML Response: Signature wrapping attack, wrong URI"
RESOLUTION
To fix this issue, disable the option "Sign on SAML Response"
Please note: If you make changes to the OWA settings in the DualShield IIS Agent, then the SAML options will get reset automatically. If you are running DualShield 6.5.2.0620, then you MUST edit the SAML settings manually after you've made changes to OWA settings in the DualShield IIS Agent.
This error can also happen in other IIS web applications that are enabled with DualShield MFA, such as RDWeb etc.