Remove & Add again the same WS-Federation IP. Error ACS60006

Question

Hi every one,

After changing my FederationMetadata in my custom STS I wanted to update the ACS Identity Provider as well as my rule group for the relying party application to pass the new claims I added (NameIdentifier, GivenName).

Because I could not get it to generate the new claims I Deleted the "Relying party application", "Rule group", and "My custom IP". When I tried to create the Identity Provider from scratch (Add WS-Federation Identity Provider) using the url I previously used and worked fine I get the following error:

An unexpected error occurred while processing your request. 

HTTP Error Code: 400

Message: ACS60006: Attempted to insert a new copy of an object that already exists in the database.

Trace ID: ee7672a3-524e-408d-945a-d3ca655b6ea6

Timestamp: 2012-03-21 15:06:48Z

Does anyone knows what is happening?! All lists are empty there shouldnt be any conflicts because I have already deleted all "Relying party applications", "Rule groups", and "custom IPs".  

Constantinos

---

Constantinos Leftheris. http://www.indice.gr

Answer 1

In reply to my question:

I removed the NameIdentity claim from my STS and the problem went away. This error is totaly misleading!!! I sould have got something like your updated FederationMetadata has a problem or something.

Anyway...

In general do not use the NameIdentifier in your own custom STS without knowing exactly what you are doing. For example I wanted to expose a unique Guid for the user but this is not its purpose as it seems. You can find out more here http://blogs.msdn.com/b/card/archive/2010/02/17/name-identifiers-in-saml-assertions.aspx

Regards

C.

---

Constantinos Leftheris. http://www.indice.gr

Answer 2

Hi,

Thank you for sharing your answer.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework