Error getting security token from adfs server
Question
To authenticate against ADFS and examine the claims i wish to get security token from the adfs server. However, the example code that i am working with always generates an error when requesting token. the example code is as follows:
private static SecurityToken RequestSamlToken()
{
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
new EndpointAddress(adfsEndpoint));
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = username;
factory.Credentials.UserName.Password = password;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new EndpointReference(realm)
};
return factory.CreateChannel().Issue(rst);
}
I am getting the following error:
An unhandled exception of type 'System.ServiceModel.FaultException' occurred in System.ServiceModel.dll Additional information: ID3082: The request scope is not valid or is unsupported .
Is there any configuration missing in the ADFS server that disallows serving tokens? Another snippet of code that uses IdpInitiated Logon works to generate the SAML token. THE ADFS properties are as follows-
AcceptableIdentifiers : {}
AddProxyAuthorizationRules : exists([Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value
== "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"]) => issue(Type =
"http://schemas.microsoft.com/authorization/claims/permit", Value =
"true");
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^AD AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http
://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrust
ManagerSid({0})", param=c.Value );
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid",
Issuer =~ "^SELF AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http
://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrust
Provisioned({0})", param=c.Value );
ArtifactDbConnection : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial
Catalog=AdfsArtifactStore;Integrated Security=True
AuthenticationContextOrder : {urn:oasis:names:tc:SAML:2.0:ac:classes:Password,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,
urn:oasis:names:tc:SAML:2.0:ac:classes:X509...}
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
CertificateSharingContainer : CN=6b987b00-35ce-44d9-97c8-561b6f1ac3dd,CN=ADFS,CN=Microsoft,CN=Program
Data,DC=sciemetricdev,DC=com
CertificateThresholdMultiplier : 1440
ClientCertRevocationCheck : None
ContactPerson :
DisplayName : ADFS
IntranetUseLocalClaimsProvider : False
ExtendedProtectionTokenCheck : Allow
FederationPassiveAddress : /adfs/ls/
HostName : *************.com
HttpPort : 80
HttpsPort : 443
TlsClientPort : 49443
Identifier : http://*******.com/adfs/services/trust
InstalledLanguage : en-US
LogLevel : {Errors, Information, Verbose, Warnings}
MonitoringInterval : 1440
NetTcpPort : 1501
NtlmOnlySupportedClientAtProxy : False
OrganizationInfo :
PreventTokenReplays : False
ProxyTrustTokenLifetime : 21600
ReplayCacheExpirationInterval : 60
SignedSamlRequestsRequired : False
SamlMessageDeliveryWindow : 5
SignSamlAuthnRequests : False
SsoLifetime : 480
PersistentSsoLifetimeMins : 10080
KmsiLifetimeMins : 1440
PersistentSsoEnabled : True
PersistentSsoCutoffTime : 1/1/0001 12:00:00 AM
KmsiEnabled : False
LoopDetectionEnabled : True
LoopDetectionTimeIntervalInSeconds : 20
LoopDetectionMaximumTokensIssuedInInterval : 5
PasswordValidationDelayInMinutes : 60
SendClientRequestIdAsQueryStringParameter : False
WIASupportedUserAgents : {MSAuthHost/1.0/In-Domain, MSIE 6.0, MSIE 7.0, MSIE 8.0...}
ExtranetLockoutThreshold : 2147483647
ExtranetLockoutEnabled : False
ExtranetObservationWindow : 00:30:00
1 answers
solution1
0 2015-10-27 15:10:49
It looks like you did not create a Relying Party in your ADFS for the URL that you pass in the rts.AppliesTo property (the realm variable in your code)
Tokens that you receive from the ADFS are not universal, they are only good for accessing the specific server that you pass in that property of the request. Even for the same user identity, if you need to access another server, you'd need to get another token from the ADFS.
Also, you will not be able to examine the claims in the application that requested the token. You need to pass the token to the server and have the server to show you the claims.
Here's a sample of such a server app: http://blogs.technet.com/b/tangent_thoughts/archive/2015/02/20/install-and-configure-a-simple-net-4-5-sample-federated-application-samapp.aspx
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.