ACS not able to read the Federation metadata Url

Question

hi,

I am working for passive Federation through ACS with my AD as Identity provider. I have my AD federation metadata Url publicly accessible through internet. For the first time when I try to access it I am getting "The site's security certificate is not trusted!" warning and if I say Proceed any way I was able to view the Federation metadata xml. When I try to enter this Url in the http://portal .appfabriclabs.com portal for Identity provider I am getting error as "Unable to download WS-Federation metadata document from the specified URL."

If anyone know the solution for this please reply me.

 

Thanks in Advance

 

Answer 1

Hi,

ACS will validate the root certificate. For instance, the "FedUtil.exe" wizard has a step that allows you to indicate whether or not to validate the root certificate. When you try to add an ADFS v2 IdP to ACS, ACS mandates that the root certificate is validated.

I'm not if this will work, but you could try to put your certificate in the Trusted Root Certification Authorities store.

 

 

---

With regards,

Patriek

www.patriekvandorp.net

---

If this reply is of help to you, please don't forget to mark it as an answer.

Answer 2

Given that the browser doesn't like the certificate, it sounds like your problem is that your SSL certificate is not valid, not trusted, or not issued to the appropriate subject for the host URL.  Thankfully, ACS supports uploading federation metadata via the portal which should bypass this issue.  Just access the metadata in the browser, dismiss the warning, select File, Save As... (important: do not attempt to copy/paste the XML out of the browser directly as this may cause whitespace changes which will break the signature), and save as an .xml file locally.  Then, in the portal page to add an ADFS provider, select "upload metadata" and browse to the file.

Let me know if this works for you.

-Oren

Answer 3

Hi Oren,

I've tried your solution in the past and it did allow me to add the IdP to ACS, but I couldn't authenticate against the IdP. That's why I figured that, while adding the IdP to ACS, under the hood ACS mandates that the certificate's Root CA must be validated (more or less what FedUtil.exe allows you to choose). This implies that you can't use self-signed certificates unless you add them to the Trusted Root Certification Authorities store.

 

---

With regards,

Patriek

www.patriekvandorp.net

---

If this reply is of help to you, please don't forget to mark it as an answer.

Answer 4

Patreik,

There are two related issues here: 1) the SSL certificate where the federation metadata is hosted, and 2) the signing certificate(s) present in the metadata itself.  For #1, standard validation is used, meaning that it must be a valid SSL cert (i.e. correct EKU and subject) and issued by a trusted root CA.  For #2, ACS will allow self-signed certificates as long as they're configured in ACS.  If the certificate is not self-signed, however, it must chain to a trusted root.

-Oren