Wildcard / Dynamic Realm

Question

This seems like it would be so obvious, but I can't seem to find an example.

This forum answer refers to dynamic realms and provides a good example on building the proper realm request to ACS.

http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/c5a265bd-e5f7-419e-a079-fca9a19e7ec3

However I get the following error
ACS50001: Requested relying party realm 'http://tenant.localhost.company.com/' is unknown            
   

My question is simple, how do you specify wildcard names in the ACS management portal for a realm.  I tried setting the Realm on my Reply Party to *.localhost.company.com and that did not work (see error)

---

|| Aaron Elder - Dynamics CRM MVP || http://xrm.ascentium.com/blog/crm

Answer 1

You can't do that on the ACS side. You have to explicitly set up an RP for each realm.

You may be better off having a single realm, and when ACS returns the token to the root site, you have code that figures out which tenant should receive the token.

---

Developer Security MVP | www.syfuhs.net

Answer 2

Thank you for the reply.

That is what I was afraid of.  As I have read more, this seems like a possible way to go.  

Is there a best practice here?  Is there any easy way I can pass a querystring token to the ReturnUrl?  The workflow is a user will go to orgname.company.com, I need them to sign in to app.company.com then redirect them back to orgname.company.com.

Answer 3

Hi,

Yes, ReturnUrl can be edit but Realm not, it's not safety if ACS RP can be updated during the application running.

Try to follow:

http://msdn.microsoft.com/en-us/library/windowsazure/hh180180.aspx

Hope this helps.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 4

It looks like the best way to pass this is via wctx (context), as it is the only parameter that is always passed and transparent to the various systems in the chain.