3

We've done SAML-based SP-initiated SSO with a number of customers, and it's all been ok (eventually).

We've got a customer now who's using ADFS. We can get idP-initiated to work fine, but with SP-initiated they get an error:

Exception details:
Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust '[BASE-URI]' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlSignInContext.Validate()
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

I'm not at all familiar with ADFS. Googling said we need a relying trust URL, so I found an example online and after some C&P, here's mine: trust.xml. The ADFS config was updated with the URL for this file.

This doesn't seem to make any difference, which makes me think one of the following:

  1. The ADFS configuration isn't right
  2. The trust.xml file isn't right, so ADFS isn't getting what it needs
  3. Something else that I'm not even aware of

Any pointers / suggestions would be gratefully received.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Elbin
  • 131
  • 1
  • 3
  • Not sure what's causing this, but the section on [ADFS issues](https://github.com/jdennis/mod_auth_mellon/blob/adfs-doc/doc/user_guide/mellon_user_guide.adoc#microsoft-adfs-issues) in the draft mod_auth_mellon user guide lists a few common problems, with links to more information. – Andrew Schulman Feb 28 '18 at 14:36
  • Are you able to access the ADFS server? If so, can you check how the relying party was setup there? You can run `Get-ADFSRelyingPartyTrust` and share the output in this question. – Chun Liu Feb 28 '18 at 15:40
  • Have you compared your setup with what's in the ADFS metadata? – rbrayb Feb 28 '18 at 18:58
  • Thanks for the Get-ADFSRelyingPartyTrust suggestion. The guy on the other side tweaked the ADFS config, but still we're getting iDP initiated working, but SP-initiated not. The customer has given up for the moment, since we had another option. – Elbin Mar 02 '18 at 13:16

0 Answers0