Configure ADFS to become a identity provider in Thinktecture IdentityServer 2.0

claims-based-identity adfs
Louis Nguyen picture Louis Nguyen · Mar 16, 2013 · Viewed 14.7k times · Source

I am trying setup a sample: a web application uses active directory log-on through thinktecture identity server 2.0.

Both Active Directory and Thinktecture IdentityServer are setup on a same machine.

I configured Thinktecture IdentityServer to use Active Directory Federation Service as identity provider. And Thintecture IdentityServer becomes a replying party trust.

When I request a log-on action from web application, there are two errors which are logged on ADFS:

Because I don't have enough 10 reputations, I will mask address "https://x.x.x.x/idsrv/" to idsrvAddress

First: Event ID: 184

A token request was received for a relying party identified by the key 'idsrvAddress', but the request could not be fulfilled because the key does not identify any known relying party trust. Key: idsrvAddress

This request failed.

User Action If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.

Second: Event ID: 364

Encountered error during federation passive request.

Additional Data

Exception details: Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'idsrvAddress' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.

Please help me what I should do!

Answer

user3887626 picture user3887626 · Jan 28, 2015

Question is old but nobody answered so I decided to share the hint. Microsoft.IdentityServer.Web.InvalidScopeException appeared in my case too, and solution is to double-check ADFS for proper case (upper/lower) while specifying the Relying Party Identifier. This apparently is bug in ADFS 3.0 I am working with.

  • Open the AD FS management console
  • go to the Relying Party Trusts
  • right-click the relying party trust definition, select "Properties"
  • List item
  • In the dialog presented, select "Identifiers" tab
  • Copy the identifier from your Event Viewer error message
  • Paste that into "Relying Party Identifier" text-box, click "Add".
    you may need to remove the old identifier, if it appears same, but is written using different case. Dialog prevents adding that, but internally, ADFS apparently compares that using case-sensitive comparison.

The above helped me to get rid of the error. You may, of course, face different issue. :-)

Related questions

MVC 5 Access Claims Identity User Data

I am developing an MVC 5 web application using Entity Framework 5 Database First approach. I am using OWIN for the authentication of Users. Below shows my Login method within my Account Controller. public ActionResult Login(LoginViewModel model, string returnUrl) { if (ModelState.…

Read More
Anti-forgery token issue (MVC 5)

I am having an issue with the anti-forgery token :( I have created my own User class which worked fine but now I am getting an error whenever I go to the /Account/Register page. The error is: A claim of …

Read More
Embedded statement cannot be a declaration or labeled statement

I am trying to create a user using claim identity asp.net I get this error while creating claims identity user. ApplicationUser user = new ApplicationUser { EmailConfirmed = true, UserName = model.myUser.Email, Email = model.myUser.Email , PhoneNumber = model.myUser.PhoneNumber, PhoneNumberConfirmed = …

Read More