Windows Azure Platform >
ACS50008 when using a federated custom STS

Answered ACS50008 when using a federated custom STS

  • Friday, July 08, 2011 10:57 AM
     
     
    Sign In to Vote
    0

    Hi,

    I created a custom sts , the one that comes with wif then i went to windows azure portal and i created a new identity proviver using the federationmetadata.xml of the custom STS.

    When i select my custom STS as the IDP i get the following error after providing the credentials

    Message: ACS20001: An error occurred while processing a WS-Federation sign-in response.
    Inner Message: ACS50008: SAML token is invalid.
    Inner Message: ACS50008: Invalid SAML token. The issuer name is invalid.
    Trace ID: ff20853a-a286-4f3d-aa48-c8c108642de7
    Timestamp:

    2011-07-08 10:23:47Z               

    can anyone help

     

    Thanks

     

    TC

     

    TC
     

All Replies

  • Monday, July 11, 2011 3:41 AM
     
     Answered
    Sign In to Vote
    0

    Please see http://acs.codeplex.com/discussions/242143:

    1. The Entity ID in the WS-Federation metadata will be the Issuer Name in ACS. Please make sure that the IssuerName in the WIF STS token matches this entity ID.

    2. The signing certificate should be in the WS-Federation metadata under the RoleDescriptor of type="fed:SecurityTokenServiceType". Make sure that the signing certificate you are using while generating WIF token matches this.

     
  • Monday, July 11, 2011 1:25 PM
     
     
    Sign In to Vote
    0

    Hi,

    Where can i check the issuer name in ACS ? is it the display name ? or must i use the object model to do the federation ?

    The issue rname should be "htps://localhost:21443/" or PassiveSigninSTS ? . i debug the request and the issuername was PassiveSigninSTS .


     web.config

    <add key="IssuerName" value="PassiveSigninSTS">

     

    FederationMetadata.xml

    <EntityDescriptor ID="_8bc5c36b-f416-47ee-a7d2-c21b134fbd16" entityID="https://localhost:21443/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" >

     

    The certificate i m using in the one that comes with wif sdk , is there any problem with this

    TC
     
  • Tuesday, July 12, 2011 3:51 AM
     
     
    Sign In to Vote
    0
    We cannot check the issuer name in ACS. The issuer name is the entity ID. Please use "htps://localhost:21443/" to see if it works?
     
  • Monday, April 15, 2013 4:07 PM
     
     
    Sign In to Vote
    0

    Hi,

    Where can i check the issuer name in ACS ? is it the display name ? or must i use the object model to do the federation ?

    The issue rname should be "htps://localhost:21443/" or PassiveSigninSTS ? . i debug the request and the issuername was PassiveSigninSTS .


     web.config

    <add key="IssuerName" value="PassiveSigninSTS">

     

    FederationMetadata.xml

    <EntityDescriptor ID="_8bc5c36b-f416-47ee-a7d2-c21b134fbd16" entityID="https://localhost:21443/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" >

     

    The certificate i m using in the one that comes with wif sdk , is there any problem with this

    TC

    he didn't say it clearly (he said it in support-ese)

    in web.config, make the issuer field "https://localhost:21443/".

    Then the assertion's issuer matches the entityId published in its metadata.

    I sometimes wonder if the STS projects  were deliberately fouled with "educational" gotchas when interworking outside the sample - to force the student to think about the principles.