onsdag den 21. december 2011

ID3206: A SignInResponse message may only redirect within the current web application:

I got a question in a remark on ADFS 2.0 and ASP.NET and wanted to do a post about it instead of trying to fit in code inside a remark too.

Sometimes you might see the above error. And I can understand why it can be frustrating at times, so ill try and clarify what it means.

You create a sign message and redirect the user to the ADFS/STS. The user logs in successfully and gets send back with a token, and now WIF on the webserver say’s “go away, you are trying to login with a token issued for another domain/application than me.

The key here is your return URL. When you add a Relying Party on your ADFS server, you specify a WS-Federation Passive Endpoint. Your return URL need to be within same scope as your WS-Federation Endpoint URI.

image
I have added the code I’m using now, and added a few comments. Should clear things up a bit.

Code Snippet
  1. ' basicly this tell adfs, to redirect the user onward to some other STS. For most people this should not be specified.
  2. Dim HomeRealm As String = "urn:admin.wingu.dk"
  3.  
  4. 'What Identity did we specify in the "Relying Party Trusts" on the ADFS server
  5. 'This has to also be listed in web.config under <microsoft.identityModel><service><audienceUris>
  6. ' or you will get ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.
  7. ' This will most often be an URI, like https://admin.wingu.dk/SSI2 , but could also be an URN, like "urn:admin.website.ssi2"
  8. Dim Realm As String = ("https://admin.wingu.dk" & Request.ApplicationPath & "/").ToLower
  9.  
  10. ' Lets inspect and modify the Return URL
  11. ' If this falls out of scope from what you specefied under WS-Federation Passive Endpoint, when adding you
  12. ' Relying Party on the ADFS server, you will get
  13. ' ID3206: A SignInResponse message may only redirect within the current web application:
  14. '
  15. ' Basicly, if you want several endpoints for you website. Like www.1.com and www.2.com or
  16. ' www.1.com/app1 and www.1.com/app1, add more Relying Party's, one for each.
  17. ' There is another way, maybe ill do a blog about that someday
  18.  
  19. Dim ReturnURI As New UriBuilder(ReturnUrl.ToLower)
  20. ' We need to use HTTPS, no matter what, so
  21. ReturnURI.Scheme = "https"
  22. ReturnURI.Port = 443
  23. 'I dont want to redirect back to my self. This can be ok in some sceenarios
  24. If ReturnURI.Path.Contains("login.aspx") Then ReturnURI.Path = Request.ApplicationPath & "/"
  25. ' change localhost / computernamer or what ever, to the fqdn used on the ADFS to redirect back to
  26. ReturnURI.Host = "admin.wingu.dk"
  27. ReturnUrl = ReturnURI.ToString
  28.  
  29. Dim authModule As WSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule
  30. authModule.PassiveRedirectEnabled = True
  31. Dim mess As WSFederation.SignInRequestMessage = authModule.CreateSignInRequest("passive", ReturnUrl, False)
  32.  
  33. mess.HomeRealm = HomeRealm
  34. mess.Realm = Realm
  35. Dim redirURL As String = mess.WriteQueryString()
  36. Response.Redirect(redirURL)

Ingen kommentarer:

Tilføj en kommentar