brockallen
commented
9 years ago Sorry -- not enough info here to debug/diagnose. You'll have to do some HTTP tracing on your own to debug this.
Closed totpero closed 9 years ago
brockallen
commented
9 years ago Sorry -- not enough info here to debug/diagnose. You'll have to do some HTTP tracing on your own to debug this.
brockallen
commented
9 years ago And as an idea to help simplify -- try to make a stand alone client app to ADFS and get that working. Then try to get that to work in IdSvr.
totpero
commented
9 years ago Can be claims problem?
totpero
commented
9 years ago The log: Before Login:
[Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 3/31/2015 7:26:16 AM +00:00 -- Login page requested
[Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 3/31/2015 7:26:16 AM +00:00 -- rendering login page
Debug: [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 3/31/2015 7:26:16 AM +00:00 -- signin message passed to login: {
"ReturnUrl": "https://localserver...:6165/identity/permissions",
"ClientId": null,
"IdP": null,
"Tenant": null,
"LoginHint": null,
"DisplayMode": null,
"UiLocales": null,
"AcrValues": [],
"Created": 635633835530001695
}
Debug: [Thinktecture.IdentityServer.Core.Configuration.Hosting.MessageCookie`1]: 3/31/2015 7:27:48 AM +00:00 -- Protecting message: {"ReturnUrl":"https://localserver...:6165/identity/permissions","AcrValues":[],"Created":635633836682511147}
Debug: [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 3/31/2015 7:27:48 AM +00:00 -- signin message passed to login: {
"ReturnUrl": "https://localserver:6165/identity/permissions",
"ClientId": null,
"IdP": null,
"Tenant": null,
"LoginHint": null,
"DisplayMode": null,
"UiLocales": null,
"AcrValues": [],
"Created": 635633836682511147
}
[Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 3/31/2015 7:26:18 AM +00:00 -- External login requested for provider: adfs
[Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 3/31/2015 7:26:18 AM +00:00 -- Triggering challenge for external identity providerAfter login i try to access one page with [Authorize] attribute ( application permissions page):
[Thinktecture.IdentityServer.Core.Endpoints.WelcomeController]: 3/31/2015 7:27:38 AM +00:00 -- Welcome page requested
[Thinktecture.IdentityServer.Core.Endpoints.WelcomeController]: 3/31/2015 7:27:38 AM +00:00 -- Rendering welcome page
[Thinktecture.IdentityServer.Core.Endpoints.ClientPermissionsController]: 3/31/2015 7:27:48 AM +00:00 -- Permissions page requested
[Thinktecture.IdentityServer.Core.Endpoints.ClientPermissionsController]: 3/31/2015 7:27:48 AM +00:00 -- User not authenticated, redirecting to login
[Thinktecture.IdentityServer.Core.Results.LoginResult]: 3/31/2015 7:27:48 AM +00:00 -- Redirecting to login pagei have create stand alone client app to ADFS and works, but from this app web.config file what to get and configure the IdSvr ?
Is not enough MetadataAddress and Wtrealm ?
totpero
commented
9 years ago This is the stand alone client web config:
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=301880
-->
<configuration>
<configSections>
<!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=(LocalDb)\v11.0;AttachDbFilename=|DataDirectory|\aspnet-WebApplication3-20150326110459.mdf;Initial Catalog=aspnet-WebApplication3-20150326110459;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:FederationMetadataLocation" value="https://sb-srv-v-001.myserver.ro//FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:Realm" value="https://erp-w04-w7-ia.myserver.ro:44330" />
<add key="ida:AudienceUri" value="https://erp-w04-w7-ia.myserver.ro:44330" />
</appSettings>
<location path="Account">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None" />
<authorization>
<deny users="?" />
</authorization>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
</system.web>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin.Security.OAuth" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin.Security.Cookies" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin.Security" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed" />
<bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-5.2.2.0" newVersion="5.2.2.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Optimization" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="1.1.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
<parameters>
<parameter value="mssqllocaldb" />
</parameters>
</defaultConnectionFactory>
<providers>
<provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
</providers>
</entityFramework>
<system.webServer>
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://erp-w04-w7-ia.myserver.ro:44330/" />
</audienceUris>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://SB-SRV-V-001.myserver.ro/adfs/services/trust">
<keys>
<add thumbprint="2DCA43346F12F9BAD5A2310C2C0A8E6398CBDE64" />
</keys>
<validIssuers>
<add name="http://SB-SRV-V-001.myserver.ro/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<wsFederation passiveRedirectEnabled="true" issuer="https://sb-srv-v-001.myserver.ro/adfs/ls/" realm="https://erp-w04-w7-ia.myserver.ro:44330/" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
</configuration>This works.
I have to take some configuration from here and paste to idSrv besides the MetadataAddress and Wtrealm ?
var adfs = new WsFederationAuthenticationOptions
{
AuthenticationType = "adfs",
Caption = "Active Directory",
SignInAsAuthenticationType = signInAsType,
MetadataAddress = "https:/.....",
Wtrealm = "https://....",
};
app.UseWsFederationAuthentication(adfs);Those all look ok -- check the IdentityServer logs to see what's happening.
totpero
commented
9 years ago up on this question is all the log from idsrv
brockallen
commented
9 years ago I don't see any logs for when the user returns from the external IdP.
totpero
commented
9 years ago only this i have in log after login
totpero
commented
9 years ago This is my server config:
public class Startup
{
public void Configuration(IAppBuilder app)
{
LogProvider.SetCurrentLogProvider(new DiagnosticsTraceLogProvider());
app.Map(Constante.CaleAdmin, adminApp =>
{
var factory = new IdentityManagerServiceFactory();
factory.ConfigureSimpleIdentityManagerService("MyIdentityServer");
adminApp.UseIdentityManager(new IdentityManagerOptions
{
Factory = factory
});
});
var options = new IdentityServerOptions
{
SiteName = "Autentificare",
RequireSsl = true,
SigningCertificate = Certificate.Load(),
CorsPolicy = CorsPolicy.AllowAll,
Factory = InMemoryFactory.Create(
users: Users.Get(),
clients: Clients.Get(),
scopes: Scopes.Get()
),
AuthenticationOptions = new AuthenticationOptions
{
//EnableLocalLogin = false,
IdentityProviders = ConfigureAdditionalIdentityProviders,
EnablePostSignOutAutoRedirect = true,
EnableSignOutPrompt = false,
},
};
app.Map("/identity", idsrvApp => idsrvApp.UseIdentityServer(options));
}
public static void ConfigureAdditionalIdentityProviders(IAppBuilder app, string signInAsType)
{
var adfs = new WsFederationAuthenticationOptions
{
AuthenticationType = "adfs",
Caption = "Active Directory",
SignInAsAuthenticationType = signInAsType,
MetadataAddress = "https:/adfsrv.com/federationmetadata/2007-06/federationmetadata.xml",
Wtrealm = "https://localsrv:6165/",
};
app.UseWsFederationAuthentication(adfs);
}
}I solve my problem.
This problem come from Wtrealm.
The Wtrealm uri need to be the same with issuer uri, how can be found here:
https://identityserver:6165/identity/.well-known/openid-configuration
And, very important, in ADFS configuration uri on Relaying PartyTrusts->Endpoints && Relaying PartyTrusts->Idenities need to be the some uri with the Wtrealm
Tx
brockallen
commented
9 years ago Glad you got it sorted.
hi guys,
I followed this tutorial: http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/ and when i use the On-Premises Organizational Authentication like in this tutorial, the MVC application works fine but when i try to use the some adfs metadata url like this:
and i don't know where is the problem. The adfs login page appears, I login successfully but the user in my application still is null.
This is in log after login:
[Thinktecture.IdentityServer.Core.Endpoints.ClientPermissionsController]: 3/30/2015 5:51:00 PM +00:00 -- User not authenticated, redirecting to login