none
Automating home realm discovery failing in ADFS for SAML 2.0 RP?

    Question

  • Hi,

    We have saml 2.0 relying party configured as a partner to ADFS 2.0. Also we Custom/Passive  STS developed using  .net framework 3.5 / WIF SDK added as CP for ADFS.  We are trying to automate the home realm discovery page for ADFS to use custom STS ADFS is throwing the following error/exception.

    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.InvalidOperationException: MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.

    The following URL is used to automate the HRD in ADFS

    https://<ADFS Host Name> /adfs/ls/?wa=wsignin1.0&wtrealm=<SAML 2.0 RP Identifier> &whr=<Custom STS-CP Identifier>

      Can you please assist?


    Friday, February 15, 2013 3:23 AM

All replies

  • Stupid question, does it work without the automated homerealmdiscovery?

    MCPD

    Friday, February 15, 2013 9:18 AM
  • yes it does work without automated HRD. Its customer facing application it such a pain to ask customer to choose the claims provider from list to get authenticated for seamless SSO.

    Friday, February 15, 2013 2:54 PM
  • For clarification is your RP a WS-Fed application or a SAML protocol application? If it's a SAML protocol application and configured as such, your URL shouldn't work at all as it's trying to use the WS-Federation variables to initiate the request.

    Developer Security MVP | www.syfuhs.net

    Friday, February 15, 2013 10:08 PM
  • My RP is SAML protocol based application. Can you help  me with URL which should invoke Custom STS  for getting WIF claims via ADFS and posts the SAML assertion to RP as part of automating home realm discovery?

    your help is highly appreciated.

    Thanks.

    Monday, February 18, 2013 3:15 PM
  • What is the adfs URL the SP redirects you to when going to the SP initiated url?

    MCPD

    Tuesday, February 19, 2013 12:18 PM
  • I haven't tried with SP Initiated SSO URL. I was trying only with IDP initiated SSO from ADFS to SAML RP.
    Tuesday, February 19, 2013 4:04 PM
  • Shouldn't you use the

    https://ADFSSERVER/adfs/ls/IdpInitiatedSignOn.aspx?LoginToRp=<SAML 2.0 RP Identifier> &whr=<Custom STS-CP Identifier>

    url instead then?


    MCPD

    Tuesday, February 19, 2013 4:19 PM
  • I have tried that URL but its still takes me to the ADFS home realm discovery page. I'm trying to automate the HRD process using a URL so that ADFS will take me to the to Custom STS login page for login without presenting HRD page?

    Tuesday, February 19, 2013 8:51 PM
  • Do you use the correct claims provider issuer uri in the whr parameter? You can find the required uri in the claims provider properties in the adfs 2 gui.

    MCPD http://nl.linkedin.com/in/tranet

    Tuesday, February 19, 2013 9:15 PM
  • I used the claims provider identifier because my custom STS has name for identifier as oppose to having uri. would that causing any issue?
    Wednesday, February 20, 2013 3:49 PM
  • You can go to the select homerealm page use the "view source" browser option. Check the values for the homerealm select dropdown menu and use the desired value in the whr parameter. Send from my mobile

    Find me on linkedin: http://nl.linkedin.com/in/tranet

    Wednesday, February 20, 2013 5:30 PM
  • I have used whr parameter to call the Custom STS after using right whr parameter looking at the view source of the home realm page but getting following error

    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.InvalidOperationException: MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile

    Thursday, February 21, 2013 1:56 PM
  • Robin, Have you ever happen to get the automated HRD working for Custom STS->ADFS->SAML 2.0 RP?
    Thursday, February 21, 2013 1:57 PM
  • Had it working once but can't remember if it was a SAML or WS-Fed application.. However I managed to modify HomeRealmDiscovery.aspx.cs numerous times to automate this process as follows:

    //------------------------------------------------------------
    // Copyright (c) Microsoft Corporation.  All rights reserved.
    //------------------------------------------------------------
    
    using System;
    
    using Microsoft.IdentityServer.Web.Configuration;
    using Microsoft.IdentityServer.Web.UI;
    using System.Data;
    using System.Configuration;
    using System.Collections;
    using System.Web;
    
    /// <summary>
    /// This page enables home realm discovery if this STS is configured to trust multiple claims providers.
    ///
    /// If the persistIdentityProviderInformation setting is enabled and the user has previously
    /// selected a claims provider, that claims provider will be used automatically.
    /// </summary>
    public partial class HomeRealmDiscovery : Microsoft.IdentityServer.Web.UI.HomeRealmDiscoveryPage
    {
        protected void Page_Init(object sender, EventArgs e)
        {
            PassiveIdentityProvidersDropDownList.DataSource = base.ClaimsProviders;
            PassiveIdentityProvidersDropDownList.DataBind();
        }
    
        protected void Page_Load(object sender, EventArgs e)
        {
            if (scenario)//You can detect the incoming request here to decide which CP to use
            {
                SelectHomeRealm("<CP URI>"); //You can add your custom STS here
            }
            else
            {
                SelectHomeRealm(@"");//This expression means use -this- STS
            }
        }
    
        protected void PassiveSignInButton_Click(object sender, EventArgs e)
        {
            SelectHomeRealm(PassiveIdentityProvidersDropDownList.SelectedItem.Value);
        }
    }
    

    Hope this helps.

    Find me on linkedin: http://nl.linkedin.com/in/tranet

    Thursday, February 21, 2013 2:33 PM
  • If it's a SAML 2.0 Relying Party you'll need to use RelayState to get this to work... I've posted  how this works using an IP-STS, RP-STS and SAML 2.0 RP in the link below.

    http://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-relaystate-in-adfs-2-0/

    Regards,

    Mylo

    Sunday, February 24, 2013 12:42 PM
  • I solved this problem using a querystring and cookie. After getting having difficulty using the =whr parameter and the Rollup patch that says it fixed this issue.

    The following is from my blog at http://blog.sharepointsetup.com.

    This is a simple use case. I have ADFS 2.0 configured to SAML 2.0 authenticate to Concur SSO (previous posting)​ and this is working fine as a IDP Initiated SSO solution except that the business users do not want to see a home realm selection screen on ADFS before logging on to Concur.

    This could very well happen at any organization. Its a user experience issue. Now granted, once you select the realm ADFS issues a cookie with a sliding expiration that you can configure that will allow them to avoid selecting a realm on each use, but that is not the issue I am tasked to solve.

    After much thought and a review of mostly useless information on the web, I prescribed and successfully implemented this solution. Just in case you are wondering, the Microsoft stance on this is to open the /adfs/ls path in visual studio as a web site and modifiy as needed.

    First I opened the IdpInitatedSignOn.aspx.cs (code-behind file) and located the Page_Init function. Within the Not Empty or Null "if" statement I added a cookie injection routine as noted below and saved the page. Now to use this all I the user has to do is update the source link for the IdpInitiatedSignOn.aspx page to not only include a querystring variable called "loginToRp" but also add "HomeRealm". In my case and to make it flexible I said to set it to "default" so the URL looked like ...?loginToRp=concur&HomeRealm=default .

    protected void Page_Init( object sender, EventArgs e )
    {
    string rpIdentity = Context.Request.QueryString[RpIdentityQueryParameter];

    //
    // If the query string specified a certain relying party, sign in to that relying party.
    //
    if ( !String.IsNullOrEmpty( rpIdentity ) )
    {
    string decodedIdentity = Server.UrlDecode( rpIdentity );
    if ( decodedIdentity == IdpAsRpIdentifier )
    {
    decodedIdentity = String.Empty;
    }
    // Set cookie for Home Realm Discovery
    string HomeRealm = Context.Request.QueryString["HomeRealm"];
    if ( !String.IsNullOrEmpty( HomeRealm ) )
    {
    Response.Cookies["CompanyADFS"]["HomeRealm"] = HomeRealm;
    Response.Cookies["CompanyADFS"].Expires = DateTime.Now.AddDays(1d);
    }
    SignIn( rpIdentity, new SignOnRequestParameters() );
    }
    else
    {
    PopulateConditionalVisibilityControls();
    RelyingPartyDropDownList.DataSource = RelyingParties;
    RelyingPartyDropDownList.DataBind();

    UpdateText();
    }
    }

    This set a cookie called CompanyADFS (obviously I used the company's real name) with a HomeRealm property set to default.
    I then opened the HomeRealmDiscovery.aspx.cs file and added a completely new Page Load function as shown below.

    protected void Page_Load(object sender, EventArgs e)
    {
    if (Request.Cookies["CompanyADFS"] != null)
    {
    if (Request.Cookies["CompanyADFS"]["HomeRealm"] == "default")
    {
    SelectHomeRealm( PassiveIdentityProvidersDropDownList.SelectedItem.Value );
    }
    }
    }

    This function allows the page to load normally unless there is cookie called CompanyADFS. Which in the case that the cookie exists, it checks to see if it has the HomeRealm set to default and if so, it executes the SelectHomeRealm function which is the exact same thing that happens when the user clicks the button. In this case I only implemented a solution for the default home realm which in ADFS is the company's Active Directory , but this same approach could be used to select an value by passing the URN to the provider from the drop down box value list. You can get this list by viewing the source of the page when it is executed.

    Thursday, April 11, 2013 3:22 AM
  • Hey Dude,

    great solution , but only one thing I couldn't figure out ;

    protected void Page_Load(object sender, EventArgs e)
       
    {
           
    if (scenario)//You can detect the incoming request here to decide which CP to use
           
    {
               
    SelectHomeRealm("<CP URI>"); //You can add your custom STS here
           
    }
           
    else
           
    {
               
    SelectHomeRealm(@"");//This expression means use -this- STS
           
    }
       
    }

    What is the if(scenario) ?

    Thx,

    Friday, August 09, 2013 10:15 PM