locked
Adding a relying party trust doesn't create an endpoint RRS feed

  • Question

  • Hi,

    I seem to be struggling to get even the simple things working so I'm hoping someone can help.

    The issue:

    When I create a relying party trust in ADFS 2.0 and point it to the metadata for my website I get a warning: "Some of the content in the federation metadata was skipped because it is not supported by ADFS 2.0"

    The only option on the dialog is to ignore the warning and proceed, however, when I review the properties of the trust it creates it hasn't created any endpoints for me.

    With no endpoints configured the ADFS server doesn't know where to return to so I get an error when I run my website and try and authenticate.
    If I leave the option to "Monitor relying party" turned on I'm not allowed to manually add the endpoints.

    Seeing as this is a lab environment the SSL certificates are self issued.
    I thought it might be certificate related so I browsed to the metadata in IE from the ADFS 2.0 server and added the certificate to the trusted root certification authorities store.
    To work around the issue, I saved the XML from IE to a file and then imported that file using the wizard.  Again, it didn't create the endpoints for me, but because it's no longer monitoring the relying party's metadata it did allow me to add an endpoint manually.

    Having manually added the endpoint everything worked as expected.
    I know that might be good enough for some people, but I'm keen to understand what's wrong with my setup that it doesn't work automatically.
    I think my issue is more likely to be Visual Studio related, it would seem like it's generating invalid metadata.

    My setup:

    1 VM running Win2K8 and ADFS 2.0
    I installed ADFS 2.0 on a fresh Win2K8 server, the installation wizard took care of installing the .Net framework and IIS for me so I'm assuming that's all okay. Plus the fact everything works if I do the extra manual steps.

    1 PC running Windows 7, IIS and VS2012.
    The website is an ASP.Net MVC 4 site, built in VS2012 configured to run on a virtual directory on IIS (not on IIS express).

    All certificates are self signed.
    Both machines are joined to the same domain.

    If I browse to the metadata for my relying party (website) this is what I see.

    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_17f4eb68-c6ce-4b74-b7a0-77144ffbf592" entityID="http://mymachine.mydomain.com/MyWebsite3/">
    <RoleDescriptor xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="fed:ApplicationServiceType"protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706">
    <fed:TargetScopes>
    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsa:Address>
    http://mymachine.mydomain.com/MyWebsite3/
    </wsa:Address>
    </wsa:EndpointReference>
    </fed:TargetScopes>
    <fed:PassiveRequestorEndpoint>
    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsa:Address>
    http://mymachine.mydomain.com/MyWebsite3/
    </wsa:Address>
    </wsa:EndpointReference>
    </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
    </EntityDescriptor>


    That metadata was presumably generated by VS2012 by the wizard that appears when you click "Indentity and access..."
    The version of VS2012 is 11.0.50727.1 RTMREL which comes with IdentityAndAccessVSPackage 1.0 pre-installed.


    Big thanks to anyone who can help with this.



    CA.


    Wednesday, November 14, 2012 11:03 AM

Answers

  • ADFS hates http - change the URL's to https.

    Normally you get an error when you the in the application metadata address using http - something like "Not secure connection".

    • Proposed as answer by paullem Wednesday, November 14, 2012 10:08 PM
    • Marked as answer by Chris_Anderson Thursday, November 15, 2012 9:56 AM
    Wednesday, November 14, 2012 7:55 PM

All replies

  • ADFS hates http - change the URL's to https.

    Normally you get an error when you the in the application metadata address using http - something like "Not secure connection".

    • Proposed as answer by paullem Wednesday, November 14, 2012 10:08 PM
    • Marked as answer by Chris_Anderson Thursday, November 15, 2012 9:56 AM
    Wednesday, November 14, 2012 7:55 PM
  • A million thank-yous!!!

    It seems so obvious (now) but that 1 little letter ('s') made all the difference!

    Thanks again,

    CA.

    Thursday, November 15, 2012 9:57 AM