You might face the following problem in a relying party application after logging in against ADFS 2.0:
Well, first thing to do is to check the Event Viewer in the machine where ADFS is installed. Check "Applications and Service Logs --> AD FS --> Admin", and if you find the below error then read on:
"The Federation Service could not fulfill the token-issuance request because the relying party 'http://mysite/' is missing a WS-Federation Passive endpoint address."
Go to ADFS management console and locate the relying party configuration. Check the Endpoint tab:
As you can see, the error description was accurate; the endpoint is missing.
After wondering a little bit about what could be the reason, I took a look back at the error message in the event log and noticed that the relying party URL in the message is using http and not https. Now one thing I already knew is that WS-Federation Passive profile mandates SSL because security takes place at the transport level.
So I examined the FederationMetadata.xml in my relying party and found that all URLs were using http and not https. Now frankly why this was the case is beyond my knowledge. When setting up my Dev environment I correctly set up a trusted certificate and used https in all wizards...
Anyway, fixing the FederationMetadata.xml file to use https, solved the issue. Now go back to ADFS console and update the relying party configuration. This time you will see the endpoint correctly defined:
No comments:
Post a Comment