I am configuring a POC for SharePoint with authentication to third party account provider and running into several issues and following the documentation provided by microsoft at http://technet.microsoft.com/en-us/library/cc731443(v=ws.10).aspx. Most of the documentation which I have seen are for ADFS 2.0 RTW
The issue is when I am a trying to the access the SharePoint site, I get redirected to the account provider ADFS site with NTLM prompt pop up. Once when I enter my credentials I get the following error
The token request for application with URL "https://spadfsweb.spdev.com/_layouts/Authenticate.aspx?Source=/" cannot be fulfilled because the URL does not identify any known trusting application.
Here is my setup
ADFS account provider (ADFS Role and DC are in separate machines)
Windows 2008 R2
ADFS role added
Has the following parameters for the ADFS
token signing certificate "sts.adfsaccount.spaccount.com"
Federation Service URI
urn:federation:accountprovider
Federation service endpoint url
https://sts.adfsaccount.spaccount.com/adfs/ls/
Exported the token signing certificate and imported that in resource partner ADFS
ADFS Resource Partner (ADFS role and DC are in separate machines)
Windows 2008 R2
ADFS role added
Has the following parameters for the ADFS
Token signing certificate "sts.staging.spresource.com"
Federation Service URI
urn:federation:resourceprovider
Federation service endpoint url
https://sts.staging.spresource.com/adfs/ls/
Has the following trusted application which is sharepoint
https://spadfsweb.spdev.com/_trust/, I have all sort of the combination like below
https://spadfsweb.spdev.com
https://spadfsweb.spdev.com/_layouts
Exported the token signing certificate and imported that into account partner ADFS
And below is the steps how I have configured the SharePoint site
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Data\Certs\stsadfsaccount_exporttokensign.cer")
New-SPTrustedRootAuthority -Name "Account Token Signing Cert" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "Staging Provider"-Description "User account domain from adfs to provide authenitcation" -Realm "urn:federation:resourceprovider" -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://sts.adfsaccount.spaccount.com/adfs/ls/" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
---SharePoint has the uri of resource provider, signing certificate of the account partner and adfs url of the account partner
Please let me know if I am doing something wrong.
Thanks
Deepak
You seem to suggest you're using ADFS 1.0. And indeed, if you followed http://technet.microsoft.com/en-us/library/cc731443%28v=ws.10%29.aspx as you say, then you've configured ADFS 1.0, as opposed to the successor AD FS 2.0. In my opinion any new deployment should be using AD FS 2.0.
Your error message is described on the ADFS 1.0 troubleshooting page; quoting:
Condition: server error
Error: The token request for application with URL https://... cannot be fulfilled because the URL does not identify any known trusting application
Solution: This error is returned by the resource Federation Service when the application URL does not identify any known application. Make sure that the application has been added to the trust policy for the Federation Service. For more information about how to do this, see Complete the Add Applications Wizard.
For a claims-aware application, verify that the return URL is typed correctly in the application’s web.config file and that it matches the application URL that is specified in the trust policy of the Federation Service.
For a Windows NT token-based application, verify that the return URL is typed correctly on the ADFS Web Agent tab of IIS and that it matches the application URL in the trust policy of the Federation Service.
Also, in case you don't know already, for ADFS 1.0 Microsoft created the ADFS Diagnostic Tool; see this blog post to download. This tool might prove useful in tracking down this specific problem.
Hope this helps...
Related
We need to configure okta as IDP for azure ad applications. For example: When a user tries to access the enterprise application, they'll be challenged with a login page, which will be validated by OKTA. Post this authentication, the authorization will be handled by Azure and upon successful authorization, user will be shown a landing page of the application.
We have referred below links as reference for setup:
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp
https://developer.okta.com/docs/guides/custom-url-domain/overview/
What we did so far?
Registered company "example.com" in okta. By default okta configures it as "example.okta.com"
Registered custom domain "id.example.com". Our okta instance is accessible using this domain
Created an enterprise SAML app (which also exist in Azure AD) in OKTA
Exported OKTA IDP metadata
Now, we are trying to import this IDP metadata as external identity provider in AAD. But it fails with below error, if we map example.com or id.example.com as domain name of federating idp. Because of these errors we’re unable to setup the custom domain of federated IDP(OKTA). Please assist us on the approach for the same.
Error Messages:
For domain as "id.example.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation policy does not pass one or more requirements. Go to aka.ms/b2b-direct-fed to learn more.
For domain as "example.okta.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation configuration is currently not supported. The authentication URL must match the domain for direct federation or be one of the allowed domains. Go to aka.ms/b2b-direct-fed to learn more.
You need to go through the Azure AD federation compatibility list to learn about how to federate an Azure AD tenant with a 3rd party IDP like Okta and others.
#Kalyan Krishna
Hi,
Thanks for the reply. We have already gone through the documentation. OKTA is listed down as one of the supported 3rd party federated IDP that Azure supports. We referenced the MS docs and tried to configure, but we observed Azure AD doesn't support external IDP(OKTA) configuration with custom domain. It throws error as mentioned in the above post. So, we tried to configure the federated domain as ".okta.com" (including other IDP metadata details). It worked then, and for authentication AZ AD is getting redirected to OKTA. SP authentication flow works fine when myapps URL is appended with tenant ID, but while testing IDP initiated SSO it fails.
IDP initiated SSO fails with OKTA as an IDP in Azure
We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
What we did so far?
Registered company "example.com" in OKTA.
Created a custom SAML app in OKTA to export the OKTA IDP metadata
Configured the app SSO settings as above reference link
Imported OKTA metadata as external IDP in AzureAD
Followed below steps to test IDP Authentication Flow
Logged in with the existing user in OKTA
After successful authentication, user is redirected to dashboard page
Here, when we click on custom app chiclet, instead of getting redirected to Microsoft apps portal, it throws below error -
AADSTS50107: The requested federation realm object 'http://www.okta.com/xxxxxxxxxxxxxxxxxxxx' does not exist.
i think direct federation doesn't support idp initiated login, you need to login using tenant context.
have you seen that note in the link you pasted ?
Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.
we have user credentials in an on-premise ADFS.we have adfs installed on a machine,how to establish trust between sharepoint online and adfs?How do we get adfs url that authenticates user credentials and generates security token?
You need to Set up a trust between AD FS and Azure AD. Run the powershell:
Connect-MsolService
Set-MsolAdfscontext -Computer <AD FS primary server>
Convert-MsolDomainToFederated –DomainName <domain>
Below article would be helpful to you:
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Setting-up-AD-FS-and-Enabling-Single-Sign-On-to/ba-p/295302
https://azure.microsoft.com/en-us/resources/videos/configuring-ad-fs-for-user-sign-in-with-azure-ad-connect/
https://blogs.msdn.microsoft.com/sambetts/2014/09/09/setup-sharepoint-online-on-premises-single-sign-on-sso/
I am getting an error message when trying to connect to Dynamics 365 environment from my application.
Exception Message : Metadata contains a reference that cannot be resolved: 'https://adfs.domainname.com/adfs/services/trust/mex'.
What i am trying to find out is the physical appearance this url(https://adfs.domainname.com/adfs/services/trust/mex) in Azure ADFS. I am a beginner in Azure.
Does this url exists in azure or is it something like a datapoint?
The endpoint you are looking at is not an Azure endpoint. It is an ADFS endpoint and Azure uses it in scenarios, where your custom domain is federated with your on-premise ADFS server for authentication.
Let's assume you have a domain called carnival.com verified in Azure and you have users who are synchronized from your on-premise AD, user1#carnival.com, user2#carnival.com etc. Now if you federate carnival.com with your ADFS in the on-premise environment, then Azure AD will redirect the users to ADFS endpoints when authentication is required.
It looks like the information provided while configuring the ADFS is wither wrong or your ADFS is currently not reachable. Ideally when you navigate to that endpoint, it should display an XML as shown in this article.
Try checking if the authentication to Azure AD is working for the domain in question and check with your ADFS team to troubleshoot this further.
I'm working on a proof of concept for Federated Authentication.
I've created a custom STS (basically a re-write of the Windows Identity Foundation Basic STS sample) and set up relying parties to use this successfully.
The next stage of the PoC is to use Azure ACS to allow federated login with Google/LiveID/etc credentials, as well as those provided by the custom STS.
Everything works EXCEPT that I can't get Azure ACS to accept the token from the custom STS.
The errors given are:
ACS20001: An error occurred while processsing a WS-Federation sign-in response
ACS50008: SAML token is invalid
ACS50026: Principal with name 'mysts.mycorp.co.uk' is not a known principal
Now, to me, this looks like ACS is failing to decrypt the SAML token from the custom STS, but the only decryption certificate that's installed in Azure ACS is the one used to sign and encrypt the response token by the Custom STS.
What am I missing here?
The answer was, of course, staring me in the face...
ACS requires that the issuer name in the federation metadata for the STS perfectly matches that in the token...
In my app.config, I'd missed off the http:// for the issuer name - ACS was interpreting the lack of an introducer as being a certificate reference and was looking for a certificate with issuer CN=mysts.mycorp.co.uk rather than http://mysts.mycorp.co.uk