I am trying to create an MVC5 Web Application configured to use the On-Premises Organizational Authenticated Option (ADFS) as described Here by Vittorio Bertocci
First, I create new MVC project. Then I change the Authentication to On-Premises. Set the On-Premises Authority to my ADFS federation metadata Endpoint. I checked to make sure the federation metadata xml could be reached and it was. I leave the App ID URI field blank accepting the default value. I ve done both, provided a value and left blank.
I then configured my relying party app manually. Setting the relying party WS-Federation Passive Protocol URL: to https://localhost:44300 which was provided by Visual studio. This value is the only value given as the trust identifier.
Lastly, I mapped 2 claim types for good measure; Display Name and User-Principal Name. All this provided by the example link.
I then runit(F5) the ADFS login pops up with a generic error. I goto the ADFS server and find the following detailed error.
Development Enviroment I have 3 servers and 1 client
- 1 Domain Controller
- 1 CA server
- 1 ADFS
- 1 windows 8 client.
I keep receiving the following error message inside from ADFS
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
https://localhost:44300/
Exception details:
Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://localhost:44300/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationSignInContext.Validate()
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Any help is appreciated.
as mentioned in Vittorio's first response, the seems that the relying party identifier sent by your application does not match what is registered in ADFS. This should not require a new vanilla ADFS setup. I suggest the following:
- Ensure that you have a Relying Party trust setup in ADFS for the application.
- Ensure that the identifier for the application matches what you have specified in your application as you see in Vittorio's blog post.
- Ensure that the return URL is set correctly on the ADFS relying party trust and matches your F5 settings for the application. You can see a screen shot in Vittorio's blog post.
Let me know if this works out for you.
--Sam
it looks like you defined your RP trust using https://localhost:44300 but in fact you are sending https://localhost:44300**/**. The trailing slash is significant for that comparison! :-) I recommend using a logical identifier per realm, or adding the trailing slash in your RP trust.
HTH
V.
来源:https://stackoverflow.com/questions/24374975/mvc5-web-app-using-adfs-on-premises-organizational-auth-and-visual-studio-2013-l