ID3206: A SignInResponse message may only redirect within the current web application:

I got a question in a remark on ADFS 2.0 and ASP.NET and wanted to do a post about it instead of trying to fit in code inside a remark too.

Sometimes you might see the above error. And I can understand why it can be frustrating at times, so ill try and clarify what it means.

You create a sign message and redirect the user to the ADFS/STS. The user logs in successfully and gets send back with a token, and now WIF on the webserver say’s “go away, you are trying to login with a token issued for another domain/application than me.

The key here is your return URL. When you add a Relying Party on your ADFS server, you specify a WS-Federation Passive Endpoint. Your return URL need to be within same scope as your WS-Federation Endpoint URI.

I have added the code I’m using now, and added a few comments. Should clear things up a bit.

Code Snippet

1. ' basicly this tell adfs, to redirect the user onward to some other STS. For most people this should not be specified.
2. Dim HomeRealm As String = "urn:admin.wingu.dk"
3.  
4. 'What Identity did we specify in the "Relying Party Trusts" on the ADFS server
5. 'This has to also be listed in web.config under <microsoft.identityModel><service><audienceUris>
6. ' or you will get ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.
7. ' This will most often be an URI, like https://admin.wingu.dk/SSI2 , but could also be an URN, like "urn:admin.website.ssi2"
8. Dim Realm As String = ("https://admin.wingu.dk" & Request.ApplicationPath & "/").ToLower
9.  
10. ' Lets inspect and modify the Return URL
11. ' If this falls out of scope from what you specefied under WS-Federation Passive Endpoint, when adding you
12. ' Relying Party on the ADFS server, you will get
13. ' ID3206: A SignInResponse message may only redirect within the current web application:
14. '
15. ' Basicly, if you want several endpoints for you website. Like www.1.com and www.2.com or
16. ' www.1.com/app1 and www.1.com/app1, add more Relying Party's, one for each.
17. ' There is another way, maybe ill do a blog about that someday
18.  
19. Dim ReturnURI As New UriBuilder(ReturnUrl.ToLower)
20. ' We need to use HTTPS, no matter what, so
21. ReturnURI.Scheme = "https"
22. ReturnURI.Port = 443
23. 'I dont want to redirect back to my self. This can be ok in some sceenarios
24. If ReturnURI.Path.Contains("login.aspx") Then ReturnURI.Path = Request.ApplicationPath & "/"
25. ' change localhost / computernamer or what ever, to the fqdn used on the ADFS to redirect back to
26. ReturnURI.Host = "admin.wingu.dk"
27. ReturnUrl = ReturnURI.ToString
28.  
29. Dim authModule As WSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule
30. authModule.PassiveRedirectEnabled = True
31. Dim mess As WSFederation.SignInRequestMessage = authModule.CreateSignInRequest("passive", ReturnUrl, False)
32.  
33. mess.HomeRealm = HomeRealm
34. mess.Realm = Realm
35. Dim redirURL As String = mess.WriteQueryString()
36. Response.Redirect(redirURL)