带有ADFS服务器的Azure ACS

Question

We have a scenario where we have a single application that will be accessed from our organization and also accessed from a outside organization. We will be hosting this web application in azure. I am using MVC 5 with the Owin WSFederation Middleware. I can connect to my Local ADFS Server and it works as expected.

           app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = "https://localhost:44321/",
                MetadataAddress = "https://sso2.xxxxx.com/FederationMetadata/2007-06/FederationMetadata.xml"
            });

When I use ACS as the Main STS and set up our ADFS server as an IDP, it routes to the correct ADFS login page, but once I authenticate I get this error

ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = X509RawDataKeyIdentifierClause(RawData = MIIC4DCCAc...'. Ensure that the SecurityTokenResolver is populated with the required key.

           app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = "https://localhost:44321/",
                MetadataAddress = "https://xxxxxxxx.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml"
            });

I feel like this is an issue because the Federated metadata contains the key for the signature and since the owin middleware only has the metadata from the ACS the signer can't be determined.

Thoughts?

Answer 1

Is the realm configured in ACS?

If I was implementing this, then i would probably use ADFS instead of ACS for my Home Realm Discovery because ACS is on it's way out.

I would configure Azure as an additional Claims provider in ADFS and only have my application using ADFS.

You also get a little more control around what the HRD pages look like.