I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating
successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.
Error Code ACS20001: An error occurred while processing a WS-Federation sign-in response.
Error Code ACS50008: SAML token is invalid.
I have searched through the forums but in my case I dont get any more detail on the error and do not know how to proceed and fix this.
My STS is currently on beta and can be reached here:
If anyone has any suggestions or wants to give it a try please contact me via email and I will open a demo login on my custom provider.
note: The case is different from a similar question found
here since my inner exception details do not suggest any reason.
Does your STS work with any other RP's? Have you tried going directly from your STS to your app?
The particular error you are receiving isn't very helpful because it could be caused by a few things. By the sounds of it the token received either has bad XML or it isn't signed, or it's missing a few key pieces. Can you run a test and show us the token
as it crosses the wire using something like Fiddler?
Please use fiddler to look into the response returned by ACS. Are you able to see other error description besides the ACS5008? Please post the response here.
If there is no additional useful information one possible reason is the time of the client mismatches the time of ACS, namely
NotBefore below is a time in future when looked by ACS.
If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour, for instance.
it seems you got a point so I checked all the dates and made the a small time shift there just in case. Unfortunately I still get the same error as before. Maybe I am missing something here so here is what I got this time: