Configuration for IdSrv Identity Provider with IdSrv as Federated Gateway about identityserver2 HOT 17 CLOSED

The browser should redirect from the IdP back to the fed gateway - and then back to the RP. Are you sure all return URLs are configured correctly?

from identityserver2.

Here are my current settings. Hopefully I give you all the relevant ones. (fyi these instances are all running on my local machine along with my client app which is at http://localhost:7728/):

IdP - Relying Party settings:

• Enabled: true
• Display Name: MVC test app
• Realm/Scope Name: http://localhost:7728/
• Redirect URL: http://localhost:7728/

Fed Gateway - Relying Party Settings:

• Enabled: true
• Display Name: MVC test app
• Realm/Scope Name: http://localhost:7728/
• Redirect URL: http://localhost:7728/

Fed Gateway - Identity Provider settings:

• Identifier: IdSrv_IP1
• Display Name: IdSrv_IP1
• Enabled: true
• Include in Home Realm Discovery: true
• Type: WSStar
• WS-Federation Endpoint: https://localhost/IdSrv_IP1/issue/wsfed

Currently my Fed Gateway's Site ID under the General Configuration is set to http://www.google.com which I did just for grins while trying to figure out the correct settings. And after I submit my username and password to the IdP it eventually tries to redirect to google.com

Not sure if it is useful but the url in the browser on the IdP before I submit my username and password is as follows:
https://localhost/IdSrv_IP1/account/signin?ReturnUrl=%2fIdSrv_IP1%2fissue%2fwsfed%3fwa%3dwsignin1.0%26wtrealm%3dhttp%253a%252f%252fwww.google.com%252f&wa=wsignin1.0&wtrealm=http%3a%2f%2fwww.google.com%2f

from identityserver2.

The IdP RP return URL must point the WS-Fed endpoint of the Fed Gateway.

The Fed Gateway IdP WS-Fed endpoint must point to the ws-fed endpoint of your IdP

from identityserver2.

Ok I've changed my IdP RP return url to point to the WS-Fed endpoint of the Fed Gateway. Now its settings look like the following:

IdP - Relying Party settings:

Enabled: true
Display Name: Fed Gateway
Realm/Scope Name: http://localhost:7728/
Redirect URL: https://localhost/WebSite/issue/wsfed

Looks like my Fed Gateway settings already matched what you stated.

It still seems to redirect to the value stored in the Site ID setting under the General Configuration of the Fed Gateway. Should there ever be a reason the General Config Site ID setting is used to redirect?

Could this be related to how I set my clients reference to the Fed Gateway? I did that by using the Identity and Access wizard in VS 2012 and initially setting the Path to the STS metadata doc setting to the Fed Gateways metadata doc (which in my case was https://localhost/website/FederationMetadata/2007-06/FederationMetadata.xml). Then I tweaked the clients web.config settings to point to https://localhost/WebSite/issue/hrd, the Home Realm Discovery Endpoint instead of https://localhost/WebSite/issue/wsfed which was the generated value for the wsfed endpoint.

from identityserver2.

There should be no case where the Issuer URI is used for a redirect - make sure you have configured return URLs everwhere... and maybe start using proper realm/app names - it would be less confusing...

from identityserver2.

Hello,

I have exactly the same problem. I'm wondering if all this isn't happening because of the following method :

private ActionResult RedirectToIdentityProvider(IdentityProvider identityProvider, SignInRequestMessage request)
{
var message = new SignInRequestMessage(new Uri(identityProvider.WSFederationEndpoint), ConfigurationRepository.Global.IssuerUri);
SetContextCookie(request.Context, request.Realm, identityProvider.WSFederationEndpoint);

        return new RedirectResult(message.WriteQueryString());
    }

By commenting out the first line and putting this line instead everything works for me .

var message = new SignInRequestMessage(new Uri(identityProvider.WSFederationEndpoint), request.Realm);

Note : I changed the RP Redirect URL back to the the same value as the realm (not the WS-Fed endpoint), I received an exception because of this after changing the code.

Please advise if these changes are OK and no other functionality is affected.

from identityserver2.

but request.Realm is the realm of the RP - when going to an upstream IdP - the realm must be the issuer URI for the fed-gateway.

So i still think you have somehow messed up the return URLs somewhere in the chain.

from identityserver2.

So what I think is going is this:

When the Fed-Gateway redirects to the IdP it sends its issuer URI as the realm - which is btw totally correct.

On the IdP you don't have a return URL for this realm configured - so IdSrv will use the realm URI to redirect - which would explain why you see a redirect to the issuer URI.

Use the /issue/hrd endpoint as the return URL on the IdPs. If this is still not solving the issue, I need to repro.

correct?

from identityserver2.

Thank you for the quick answer, I will come back with a response in a few days, I have also some other issues which I need to figure out. I still have to document myself to understand the whole process.

from identityserver2.

I too really appreciate your quick responses.

At this point I now have my redirect url on the IdP's Relying Party setting set to the /issue/hrd endpoint. This is the return URL you are talking about, correct?

My other settings are the same as I stated before.

With these settings in place, my browser still gets redirected to the Site ID (IssuerUri) of the gateway after I submit my credentials. Not sure if it should affect anything but I am doing this all locally. So my client, Fed Gateway and IdPs are all local.

Thanks again for your help and patience.

from identityserver2.

OK - I must repro that exact scenario myself. I am pretty sure it works since I have a similar scenario with ADFS here.

Maybe it's a same machine issue..

This will take some days, I am pretty busy right now.

from identityserver2.

I'll try and get this up on a server or two in the meantime and see if that resolves it. Thanks.

from identityserver2.

I am still seeing this issue when I moved the Fed Gateway and IdP to a seperate server. I have redirect url's set on relying party setting. I'll have to continue to do more research.

from identityserver2.

Hello, after understanding the process I have managed to set up federation between two identity servers on localhost.

Here are the right configurations :

1. First IdS (Federated Gateway) - https://localhost/FirstIdentityServer/
   -> General Configuration
   Site ID : https://localhost/FirstIdentityServer/
   -> Identity Provider

   Identifier : SecondIdentityServer
   Enabled : true
   Include in Home Realm Discovery : true
   Type : WSStar
   WS-Federation Endpoint : https://localhost/SecondIdentityServer/issue/wsfed/
   Issuer Thumbprint : Thumbrint for Certificate used by Second IdS

-> Relying Party
Enabled : true
DisplayName : First Relying Party
Realm/Scope Name : http://localhost:port/FirstRP/
Redirect URL : http://localhost:port/FirstRP/

1. Second IdS - https://localhost/SecondIdentityServer

-> Relying Party
Enabled : true
DisplayName : First IdS (Federated Gateway)
Realm/Scope Name : https://localhost/FirstIdentityServer/
Redirect URL : https://localhost/FirstIdentityServer/issue/hrd

1. Web Config - http://localhost:port/FirstRP/

The clue was to understand the path of the token : Web App -> First Ids (Fed Gateway) -> Second Ids -> First IdS (Fed Gateway) -> Web App.

Now I have to do claims transformations when the token is passed back from Second IdS -> First IdS (Fed Gateway), Dominick can you please provide a hint where would be the best place to do this? In you first demo "Video: Federation and Home Realm Discovery" you mention about a next demo where you demonstrate this,have you managed to create this demo?

Thank you for considering my request.

from identityserver2.

Great!

Have a look at IClaimsTransformationRulesRepository. There is a default implementation called PassThruTransformationRuleRepository.

You can provide your own implementation and register it in repositories.config.

from identityserver2.

Thanks for posting your configurations @gistvan. Looks like my issue was my IdPs Relying Party Realm/scope name value. I originally had it set to the client apps realm and after looking at what you had, I realized it needed to be set to the Fed Gateway's value. It appears to work after doing that. Thanks for your help guys.

from identityserver2.

Great! I will close this issue.

from identityserver2.