Comments (17)
The browser should redirect from the IdP back to the fed gateway - and then back to the RP. Are you sure all return URLs are configured correctly?
from identityserver2.
Here are my current settings. Hopefully I give you all the relevant ones. (fyi these instances are all running on my local machine along with my client app which is at http://localhost:7728/):
IdP - Relying Party settings:
- Enabled: true
- Display Name: MVC test app
- Realm/Scope Name: http://localhost:7728/
- Redirect URL: http://localhost:7728/
Fed Gateway - Relying Party Settings:
- Enabled: true
- Display Name: MVC test app
- Realm/Scope Name: http://localhost:7728/
- Redirect URL: http://localhost:7728/
Fed Gateway - Identity Provider settings:
- Identifier: IdSrv_IP1
- Display Name: IdSrv_IP1
- Enabled: true
- Include in Home Realm Discovery: true
- Type: WSStar
- WS-Federation Endpoint: https://localhost/IdSrv_IP1/issue/wsfed
Currently my Fed Gateway's Site ID under the General Configuration is set to http://www.google.com which I did just for grins while trying to figure out the correct settings. And after I submit my username and password to the IdP it eventually tries to redirect to google.com
Not sure if it is useful but the url in the browser on the IdP before I submit my username and password is as follows:
https://localhost/IdSrv_IP1/account/signin?ReturnUrl=%2fIdSrv_IP1%2fissue%2fwsfed%3fwa%3dwsignin1.0%26wtrealm%3dhttp%253a%252f%252fwww.google.com%252f&wa=wsignin1.0&wtrealm=http%3a%2f%2fwww.google.com%2f
from identityserver2.
The IdP RP return URL must point the WS-Fed endpoint of the Fed Gateway.
The Fed Gateway IdP WS-Fed endpoint must point to the ws-fed endpoint of your IdP
from identityserver2.
Ok I've changed my IdP RP return url to point to the WS-Fed endpoint of the Fed Gateway. Now its settings look like the following:
IdP - Relying Party settings:
Enabled: true
Display Name: Fed Gateway
Realm/Scope Name: http://localhost:7728/
Redirect URL: https://localhost/WebSite/issue/wsfed
Looks like my Fed Gateway settings already matched what you stated.
It still seems to redirect to the value stored in the Site ID setting under the General Configuration of the Fed Gateway. Should there ever be a reason the General Config Site ID setting is used to redirect?
Could this be related to how I set my clients reference to the Fed Gateway? I did that by using the Identity and Access wizard in VS 2012 and initially setting the Path to the STS metadata doc setting to the Fed Gateways metadata doc (which in my case was https://localhost/website/FederationMetadata/2007-06/FederationMetadata.xml). Then I tweaked the clients web.config settings to point to https://localhost/WebSite/issue/hrd, the Home Realm Discovery Endpoint instead of https://localhost/WebSite/issue/wsfed which was the generated value for the wsfed endpoint.
from identityserver2.
There should be no case where the Issuer URI is used for a redirect - make sure you have configured return URLs everwhere... and maybe start using proper realm/app names - it would be less confusing...
from identityserver2.
Hello,
I have exactly the same problem. I'm wondering if all this isn't happening because of the following method :
private ActionResult RedirectToIdentityProvider(IdentityProvider identityProvider, SignInRequestMessage request)
{
var message = new SignInRequestMessage(new Uri(identityProvider.WSFederationEndpoint), ConfigurationRepository.Global.IssuerUri);
SetContextCookie(request.Context, request.Realm, identityProvider.WSFederationEndpoint);
return new RedirectResult(message.WriteQueryString());
}
By commenting out the first line and putting this line instead everything works for me .
var message = new SignInRequestMessage(new Uri(identityProvider.WSFederationEndpoint), request.Realm);
Note : I changed the RP Redirect URL back to the the same value as the realm (not the WS-Fed endpoint), I received an exception because of this after changing the code.
Please advise if these changes are OK and no other functionality is affected.
from identityserver2.
but request.Realm is the realm of the RP - when going to an upstream IdP - the realm must be the issuer URI for the fed-gateway.
So i still think you have somehow messed up the return URLs somewhere in the chain.
from identityserver2.
So what I think is going is this:
When the Fed-Gateway redirects to the IdP it sends its issuer URI as the realm - which is btw totally correct.
On the IdP you don't have a return URL for this realm configured - so IdSrv will use the realm URI to redirect - which would explain why you see a redirect to the issuer URI.
Use the /issue/hrd endpoint as the return URL on the IdPs. If this is still not solving the issue, I need to repro.
correct?
from identityserver2.
Thank you for the quick answer, I will come back with a response in a few days, I have also some other issues which I need to figure out. I still have to document myself to understand the whole process.
from identityserver2.
I too really appreciate your quick responses.
At this point I now have my redirect url on the IdP's Relying Party setting set to the /issue/hrd endpoint. This is the return URL you are talking about, correct?
My other settings are the same as I stated before.
With these settings in place, my browser still gets redirected to the Site ID (IssuerUri) of the gateway after I submit my credentials. Not sure if it should affect anything but I am doing this all locally. So my client, Fed Gateway and IdPs are all local.
Thanks again for your help and patience.
from identityserver2.
OK - I must repro that exact scenario myself. I am pretty sure it works since I have a similar scenario with ADFS here.
Maybe it's a same machine issue..
This will take some days, I am pretty busy right now.
from identityserver2.
I'll try and get this up on a server or two in the meantime and see if that resolves it. Thanks.
from identityserver2.
I am still seeing this issue when I moved the Fed Gateway and IdP to a seperate server. I have redirect url's set on relying party setting. I'll have to continue to do more research.
from identityserver2.
Hello, after understanding the process I have managed to set up federation between two identity servers on localhost.
Here are the right configurations :
-
First IdS (Federated Gateway) - https://localhost/FirstIdentityServer/
-> General Configuration
Site ID : https://localhost/FirstIdentityServer/
-> Identity ProviderIdentifier : SecondIdentityServer
Enabled : true
Include in Home Realm Discovery : true
Type : WSStar
WS-Federation Endpoint : https://localhost/SecondIdentityServer/issue/wsfed/
Issuer Thumbprint : Thumbrint for Certificate used by Second IdS
-> Relying Party
Enabled : true
DisplayName : First Relying Party
Realm/Scope Name : http://localhost:port/FirstRP/
Redirect URL : http://localhost:port/FirstRP/
- Second IdS - https://localhost/SecondIdentityServer
-> Relying Party
Enabled : true
DisplayName : First IdS (Federated Gateway)
Realm/Scope Name : https://localhost/FirstIdentityServer/
Redirect URL : https://localhost/FirstIdentityServer/issue/hrd
- Web Config - http://localhost:port/FirstRP/
The clue was to understand the path of the token : Web App -> First Ids (Fed Gateway) -> Second Ids -> First IdS (Fed Gateway) -> Web App.
Now I have to do claims transformations when the token is passed back from Second IdS -> First IdS (Fed Gateway), Dominick can you please provide a hint where would be the best place to do this? In you first demo "Video: Federation and Home Realm Discovery" you mention about a next demo where you demonstrate this,have you managed to create this demo?
Thank you for considering my request.
from identityserver2.
Great!
Have a look at IClaimsTransformationRulesRepository. There is a default implementation called PassThruTransformationRuleRepository.
You can provide your own implementation and register it in repositories.config.
from identityserver2.
Thanks for posting your configurations @gistvan. Looks like my issue was my IdPs Relying Party Realm/scope name value. I originally had it set to the client apps realm and after looking at what you had, I realized it needed to be set to the Fed Gateway's value. It appears to work after doing that. Thanks for your help guys.
from identityserver2.
Great! I will close this issue.
from identityserver2.
Related Issues (20)
- How to redirect to a custom page on WS Federation signout in MVC app
- ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key
- Link and GitHub Pages broken
- Federation with External Identity Providers HOT 1
- Disable SSL and Mixed Mode Security
- User Roles in a Azure AD SSO Scenario
- Missing "Role" as a claim in SharePoint server
- Pass whr to Identity Provider HOT 2
- Win10 AAD sign in - unsupported GET for WS-Trust MEX
- Redirects to /account/signin HOT 1
- Could not find a base address that matches scheme http for the endpoint with binding CertificateWSTrustBinding
- IdentityServer v2 HOT 1
- Thinktecture.IdentityModel.45 is not in git
- login loop
- 'ClaimsIdentity.BootstrapContext' could not be mapped
- WIF10201: No valid key mapping found for securityToken
- "Authorization for token issuance failed because the user is anonymous" when calling service from console client.
- IdentityServer2 integration with PingFederate using WS-Federation protocol HOT 1
- Clustering IdentityServer v2 for high availability
- Disappearing Client Secret HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identityserver2.