c# - Sometimes ADFS exception: ID1032 "At least one 'audienceUri' must be specified..." -


i have project uses adfs authentication in cases. configuration read database , urls different customer customer, there many configuration options can't hard-code in web.config.

the problem following error:

id1032: @ least 1 'audienceuri' must specified in samlsecuritytokenrequirement when audienceurimode set 'always' or 'bearerkeyonly'

but don't always, , can't reproduce it. pretty annoying since can't debug long can't reproduce it. , i'm not sure whether did correct. maybe adfs expert can have @ it.

(trusts between relying parties , corresponding adfs servers have been established, of course.)

here code (only interesting parts of it), please ask if missing or unclear.

some snippets web.config:

<system.webserver>   <modules>     <add name="wsfederationauthenticationmodule" type="microsoft.identitymodel.web.wsfederationauthenticationmodule, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35" precondition="managedhandler" />     <add name="sessionauthenticationmodule" type="microsoft.identitymodel.web.sessionauthenticationmodule, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35" precondition="managedhandler" />     <add name="claimsprincipalhttpmodule" type="microsoft.identitymodel.web.claimsprincipalhttpmodule, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35" precondition="managedhandler" />     <!-- ... -->   </modules>   <!-- ... --> </system.webserver> 
<microsoft.identitymodel>   <service>     <securitytokenhandlers>       <remove type="microsoft.identitymodel.tokens.sessionsecuritytokenhandler" />       <add type="myproject.machinekeysessionsecuritytokenhandler" />     </securitytokenhandlers>     <federatedauthentication>       <wsfederation passiveredirectenabled="false"                     issuer="https://fail/issuerendpoint"                     realm="https://fail/federationresult"                     homerealm="https://fail"                     requirehttps="true" />     </federatedauthentication>   </service> </microsoft.identitymodel>

those fail values overridden per request (see login() method below), have specify in web.config, chose specify valid uri @ least. default sessionsecuritytokenhandler had replaced because service runs on multiple machines dns round-robin (sharing same machine key).

then have class called adfstrustfilter implements iauthorizationfilter. know it's bit of overhead, due project structure, filter used global filter on every request (order least value in whole project). in onauthorization method, complete configuration follows:

public sealed class adfstrustfilter : iauthorizationfilter     public void onauthorization(authorizationcontext filtercontext)         // ...          var fam = federatedauthentication.wsfederationauthenticationmodule;          fam.serviceconfiguration = new serviceconfiguration         {             audiencerestriction = new audiencerestriction(audienceurimode.always),             certificatevalidationmode = x509certificatevalidationmode.peerorchaintrust,             // myissuernameregistry checks whether fingerprint known , other stuff             issuernameregistry = new myissuernameregistry()         };          // config.ownpath contains "https://my.app.com/approot/"         fam.serviceconfiguration.audiencerestriction.allowedaudienceuris.add(new uri(config.ownpath));     } }

this code starts authentication:

public actionresult login() {     // ...      // again "https://my.app.com/approot/"     string baseurl = config.ownpath.trimend('/') + "/";      // adfs endpoint customer: i.e. "https://identity.provider.net/adfs/ls/"     string endpoint = config.adfsconfig.identityprovider.endpoint;      // code behind federationresult shown below     var signin = new signinrequestmessage(new uri(endpoint), baseurl + "/adfs/federationresult")                         {                             context = baseurl                         };      var url = signin.writequerystring();      return redirect(url); }

and federationresult callback:

public actionresult federationresult() {     wsfederationauthenticationmodule fam = federatedauthentication.wsfederationauthenticationmodule;     httprequest request = system.web.httpcontext.current.request;      if (fam.canreadsigninresponse(request, true))     {         var id = (iclaimsidentity) user.identity;          //     }      // ... }

p.s.: adfs server upgraded 2008 r2 2012, didn't change anything. adfs version 2.0.

since exception says need audienceuri, start adding 1 under

 <microsoft.identitymodel>     <service>        <audienceuris>           <add value="https://yourdomain/theaudienceuri" />

the audienceuri uri adfs returns application. can override engine accept arbitrary return results doesn't change fact indeed need @ least 1 uri in config.


Comments

Post a Comment

Popular posts from this blog

java.util.scanner - How to read and add only numbers to array from a text file -

i'm learning java , have question regarding reading file want read numbers file contains strings well. here example of file: 66.56 "3 java 3-43 5-42 2.1 1 and here coding: public class test { public static void main (string [] args){ if (0 < args.length) { file x = new file(args[0]); try{ scanner in = new scanner( new fileinputstream(x)); arraylist<double> test = new arraylist<>(); while(in.hasnext()){ if(in.hasnextdouble()){ double f=in.nextdouble(); test.add(f);} else {in.next();} } catch(ioexception e) { system.err.println("exception during reading: " + e); } } my problem add 66.56,2.1 , 1 doesn't add 3 after "3 or ignores 3-43 , 5-42 can tell me how skip strings , add doubles here? thanks all said 3 ie; "3, 3-43 , 4-42 strings either u read string , split , check number @ " , - or put in space between characters , integers. jvm after compilation tre...
Read more

rewrite - Trouble with Wordpress multiple custom querystrings -

i'm working on adding multiple querystring , doesn't seem work. i've found codes seems work others might i'm missing something. i want like: http://mydomain.com/board/?getyear=2013&getsometext2=sometext to http://mydomain.com/board/2013/sometext/ i added code below functions.php file. doesn't seem work should though. this works. echoing querystring gets both variable without problem. http://mydomain.com/board/2013/sometext/ but doesn't. tested querystring vis isset() seems nothing being set/get http://mydomain.com/board/2013/ function add_query_vars($vars) { $vars[] = "getyear"; $vars[] = "getsometext2"; return $vars; } add_filter('query_vars', 'add_query_vars'); function add_rewrite_rules($arules) { $anewrules = array('board/([^/]+)/([^/]+)/?$' => 'index.php?pagename=board&getyear=$matches[1]&getsometext2=$matches[2]'); $arules = $a...
Read more