I got a question in a remark on ADFS 2.0 and ASP.NET and wanted to do a post about it instead of trying to fit in code inside a remark too.
Sometimes you might see the above error. And I can understand why it can be frustrating at times, so ill try and clarify what it means.
You create a sign message and redirect the user to the ADFS/STS. The user logs in successfully and gets send back with a token, and now WIF on the webserver say’s “go away, you are trying to login with a token issued for another domain/application than me.
The key here is your return URL. When you add a Relying Party on your ADFS server, you specify a WS-Federation Passive Endpoint. Your return URL need to be within same scope as your WS-Federation Endpoint URI.
I have added the code I’m using now, and added a few comments. Should clear things up a bit.
- ' basicly this tell adfs, to redirect the user onward to some other STS. For most people this should not be specified.
- Dim HomeRealm As String = "urn:admin.wingu.dk"
- 'What Identity did we specify in the "Relying Party Trusts" on the ADFS server
- 'This has to also be listed in web.config under <microsoft.identityModel><service><audienceUris>
- ' or you will get ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.
- ' This will most often be an URI, like https://admin.wingu.dk/SSI2 , but could also be an URN, like "urn:admin.website.ssi2"
- Dim Realm As String = ("https://admin.wingu.dk" & Request.ApplicationPath & "/").ToLower
- ' Lets inspect and modify the Return URL
- ' If this falls out of scope from what you specefied under WS-Federation Passive Endpoint, when adding you
- ' Relying Party on the ADFS server, you will get
- ' ID3206: A SignInResponse message may only redirect within the current web application:
- ' Basicly, if you want several endpoints for you website. Like www.1.com and www.2.com or
- ' www.1.com/app1 and www.1.com/app1, add more Relying Party's, one for each.
- ' There is another way, maybe ill do a blog about that someday
- Dim ReturnURI As New UriBuilder(ReturnUrl.ToLower)
- ' We need to use HTTPS, no matter what, so
- ReturnURI.Scheme = "https"
- ReturnURI.Port = 443
- 'I dont want to redirect back to my self. This can be ok in some sceenarios
- If ReturnURI.Path.Contains("login.aspx") Then ReturnURI.Path = Request.ApplicationPath & "/"
- ' change localhost / computernamer or what ever, to the fqdn used on the ADFS to redirect back to
- ReturnURI.Host = "admin.wingu.dk"
- ReturnUrl = ReturnURI.ToString
- Dim authModule As WSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule
- authModule.PassiveRedirectEnabled = True
- Dim mess As WSFederation.SignInRequestMessage = authModule.CreateSignInRequest("passive", ReturnUrl, False)
- mess.HomeRealm = HomeRealm
- mess.Realm = Realm
- Dim redirURL As String = mess.WriteQueryString()