none
ACS50008 when using a federated custom STS

    Question

  • Hi,

    I created a custom sts , the one that comes with wif then i went to windows azure portal and i created a new identity proviver using the federationmetadata.xml of the custom STS.

    When i select my custom STS as the IDP i get the following error after providing the credentials

    Message: ACS20001: An error occurred while processing a WS-Federation sign-in response.
    Inner Message: ACS50008: SAML token is invalid.
    Inner Message: ACS50008: Invalid SAML token. The issuer name is invalid.
    Trace ID: ff20853a-a286-4f3d-aa48-c8c108642de7
    Timestamp:

    2011-07-08 10:23:47Z               

    can anyone help

     

    Thanks

     

    TC

     


    TC
    Friday, July 08, 2011 10:57 AM

Answers

  • Please see http://acs.codeplex.com/discussions/242143:

    1. The Entity ID in the WS-Federation metadata will be the Issuer Name in ACS. Please make sure that the IssuerName in the WIF STS token matches this entity ID.

    2. The signing certificate should be in the WS-Federation metadata under the RoleDescriptor of type="fed:SecurityTokenServiceType". Make sure that the signing certificate you are using while generating WIF token matches this.

    • Marked as answer by Wenchao Zeng Thursday, August 04, 2011 3:16 AM
    Monday, July 11, 2011 3:41 AM

All replies

  • Please see http://acs.codeplex.com/discussions/242143:

    1. The Entity ID in the WS-Federation metadata will be the Issuer Name in ACS. Please make sure that the IssuerName in the WIF STS token matches this entity ID.

    2. The signing certificate should be in the WS-Federation metadata under the RoleDescriptor of type="fed:SecurityTokenServiceType". Make sure that the signing certificate you are using while generating WIF token matches this.

    • Marked as answer by Wenchao Zeng Thursday, August 04, 2011 3:16 AM
    Monday, July 11, 2011 3:41 AM
  • Hi,

    Where can i check the issuer name in ACS ? is it the display name ? or must i use the object model to do the federation ?

    The issue rname should be "htps://localhost:21443/" or PassiveSigninSTS ? . i debug the request and the issuername was PassiveSigninSTS .


     web.config

    <add key="IssuerName" value="PassiveSigninSTS">

     

    FederationMetadata.xml

    <EntityDescriptor ID="_8bc5c36b-f416-47ee-a7d2-c21b134fbd16" entityID="https://localhost:21443/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" >

     

    The certificate i m using in the one that comes with wif sdk , is there any problem with this


    TC
    Monday, July 11, 2011 1:25 PM
  • We cannot check the issuer name in ACS. The issuer name is the entity ID. Please use "htps://localhost:21443/" to see if it works?
    Tuesday, July 12, 2011 3:51 AM
  • Hi,

    Where can i check the issuer name in ACS ? is it the display name ? or must i use the object model to do the federation ?

    The issue rname should be "htps://localhost:21443/" or PassiveSigninSTS ? . i debug the request and the issuername was PassiveSigninSTS .


     web.config

    <add key="IssuerName" value="PassiveSigninSTS">

     

    FederationMetadata.xml

    <EntityDescriptor ID="_8bc5c36b-f416-47ee-a7d2-c21b134fbd16" entityID="https://localhost:21443/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" >

     

    The certificate i m using in the one that comes with wif sdk , is there any problem with this


    TC

    he didn't say it clearly (he said it in support-ese)

    in web.config, make the issuer field "https://localhost:21443/".

    Then the assertion's issuer matches the entityId published in its metadata.

    I sometimes wonder if the STS projects  were deliberately fouled with "educational" gotchas when interworking outside the sample - to force the student to think about the principles.

    Monday, April 15, 2013 4:07 PM