{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 何必那么认真 的问题《MVC5 Web app using ADFS On-Premises Organizational》','https://www.manongdao.com/q-687039.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am trying to create an MVC5 Web Application configured to use the On-Premises Organizational Authenticated Option (ADFS) as described Here by Vittorio Bertocci
First, I create new MVC project. Then I change the Authentication to On-Premises. Set the On-Premises Authority to my ADFS federation metadata Endpoint. I checked to make sure the federation metadata xml could be reached and it was. I leave the App ID URI field blank accepting the default value. I ve done both, provided a value and left blank.
I then configured my relying party app manually. Setting the relying party WS-Federation Passive Protocol URL: to https://localhost:44300 which was provided by Visual studio. This value is the only value given as the trust identifier.
Lastly, I mapped 2 claim types for good measure; Display Name and User-Principal Name. All this provided by the example link.
I then runit(F5) the ADFS login pops up with a generic error. I goto the ADFS server and find the following detailed error.
Development Enviroment I have 3 servers and 1 client
- 1 Domain Controller
- 1 CA server
- 1 ADFS
- 1 windows 8 client.
I keep receiving the following error message inside from ADFS
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
https://localhost:44300/
Exception details:
Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://localhost:44300/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationSignInContext.Validate()
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Any help is appreciated.
as mentioned in Vittorio's first response, the seems that the relying party identifier sent by your application does not match what is registered in ADFS. This should not require a new vanilla ADFS setup. I suggest the following:
Let me know if this works out for you.
--Sam
it looks like you defined your RP trust using
https://localhost:44300but in fact you are sendinghttps://localhost:44300**/**. The trailing slash is significant for that comparison! :-) I recommend using a logical identifier per realm, or adding the trailing slash in your RP trust. HTH V.