Wednesday, April 18, 2012

ADFS : Problems with SAML and domains


Busy testing a 3rd party SAML provider and getting it to integrate with ADFS.

First tried it on my dev. PC using https://mypc/3rdparty.

All well and good – tick that one off – but then I needed to test it from outside of the dev. domain i.e.

Firstly, got the error:

“MSIS3020: The relying party trust with identifier 'https://xxx/sp' could not be located.”

OK, so off to the RP properties config. in ADFS.

Click on the “Identifiers” tab.

Click on the existing RP identifier and then click “Remove”. This puts the URL in the “Add” box where you can add the “” piece and then click “Add”

So now you have two identifiers; one without the domain and one with.

Ok – lets try that again.

Get the error:

“The request specified an Assertion Consumer Service URL 'https://xxx/sp…' that is not  configured on the relying party 'https://xxx/sp'.

User Action
Use the AD FS 2.0 Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party.”

Mr Google leads to this: AD FS 2.0: "The request specified an Assertion Consumer Service URL that is not configured on the relying party"

and states:

“There are two options:
1. Configure the RP so that AssertionConsumerService is not specified in the AuthnRequest
2. Configure the RP to send a AssertionConsumerService value in the AuthnRequest which matches the AssertionConsumerService value on the Endpoints tab of the RP Trust in AD FS 2.0.”

Hmmm – 1 is not an option because it’s a 3rd party product.

Went with 2.

In the RP properties config. in ADFS.

Click on the “Endpoints” tab.

Under “SAML Assertion Consumer Endpoints”:

In my case there were two with bindings for POST and Artifact.

Click on “Edit”, copy the URL, then click on “Add”. Fix the domain, select the binding and an index number that’s not used.

When I finished I had four entries, two POSTS bindings and Artifact bindings.

And then, verily, it all just worked.



Anonymous said...

hi there. i am getting this same error. what url did you copy to create the new endpoint, and also was it for POST only or all of the options?

nzpcmad said...

As the article says, "Click on “Edit”, copy the URL, then click on “Add”." So I just used the existing configured URL. If I recall correctly, I did it for both Post and Artifact.

Anonymous said...

Thanks for your article, worked for me!