MSIS7001: The passive protocol context was not found or not valid - adfs2.0

I am trying to federate one ADFS server with another ADFS server so that the Identity can be provided with the second ADFS instance. So Relying Party Application --> RP ADFS 1 --> ID ADFS
1.I have the RP Application set up with a relying party trust in RP ADFS
2.I have the ID ADFS set up with a Claims Provider trust in the RP ADFS
3.I have the RP ADFS set up with a Relying Party Trust in the ID ADFS
When attempt to go to my relying part I am bounced to the ID ADFS logon page and I can Logon and it is bounced back to the RP ADFS where I receive the error.
MSIS7001: The passive protocol context was not found or not valid.
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.
at Microsoft.IdentityServer.Web.EncodedContext..ctor(String encodedValue, Boolean samlEnabled, Boolean wsFederationEnabled)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.ParseRelyingPartyInfoFromWCtx(String wctx, Boolean deleteCookie, String& contextId)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetOriginalRequest(FederationPassiveContext federationPassiveContext, Boolean deleteCookie, String& requestId)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetOriginalRequest(Boolean deleteCookie, String& requestId)
I have seen the Question, and I have ensured that the answer has been followed.
I have also seen thisquestion and it's not clear what solution this one proposes.

Related

How to recognise formerly SP initiated authentication on subsequent IdP redirects to SP

When using SAML2 to perform a Service Provider (SP) initiated authentication, a secret ID is generated by the SP and the added to the the Authentication Request. The Identity Provider (IdP) responds to this AuthnRequest and echoes the secret ID of the SP ("in response to") to ensure coherence of the Authentication Request/Response. The authentication at the SP can then proceed (after verifying a whole lot of other things).
What happens when the current authentication session at the IdP is still valid and the "IdP Portal" is equipped with the ability to redirect to the SP by some sort of bookmark/link such as application icons in Office356. Is there any provisioning in the SAML2 standard to continue the formerly initiated session at the Service Provider (a IdP session id of some sort)? It would be odd if a re-authentication would be necessary in this case because the current session is still active (I wouldn't think this falls into the category of IdP initiated authentication).
The IdP hits the ACS endpoint when this app icon is clicked, but I'm not sure where to look in the Authentication Response (according to SAML2 spec and more specifically in an Azure AD IdP response). Any help would be appreciated.
When "federating" identities, the session handling is entirely up to the individual systems. There is no real mechanism within the protocol to tie those separate sessions together. The Identity Provider (IdP) can inform the Service Provider (SP) of the length of time that the SP can consider the identity assertion "valid", but that's about it. Typically, if the identity being authenticated has a session at the IdP, then the IdP will just issue the assertion. When the user is redirected back to the SP, if they had a session there, then it's up to the SP if they allow that session to continue.
In order to tell the two types of assertion apart, the following guideline can be used.
For IdP-initiated, the RelayState attribute will generally have a URL of where the User wishes to be sent at the SP, after the SP consumes and accepts the assertion from the IdP.
For SP-initiated, when the SP starts the authentication process, it will insert an opaque ID in the RelayState attribute of the AuthnRequest. The IdP must use that same ID in the Assertion's RelayState field (and the same ID usually ends up in the InResponseTo field as well).
So, that's a whole lot of words to say "The handling at either end, IdP or SP, is determined solely by that end (though maybe there's some conversation about how the ends handle them)."

Abstracting OpenID Connect Idp behind a Windows Identity Foundation STS

Premise:
I have an infrastructure where we have a custom RP-STS implemented with Windows Identity Foundation, providing SSO for a few websites. This STS communicates with the sites via WSFederation. This custom STS is about to be deprecated because the organization is adding an Open ID Connect Idp into the infrastructure.
The websites themselves (Episerver) contain all the custom made authorization logic already based on the claims the STS provides, and if we were to simply toss the STS we'd have to replace all of this logic.
Question:
What is the browser redirect flow to integrate our RP-STS to the openId connect provider in such a way that the end user browser gets a session for both our RP STS and the Open Id Connect IdP?
Personal thinking on how it might be doable (based on massive assumptions on how openid connect works), skip this if you know how to answer:
Website sends HTTP post to RP-STS containing username/password
RP STS responds to browser with redirect to OpenId Connect Idp (Redirect contains username / password, and a replyto address is set to the RP STS)
OpenId Connect Idp creates a local session (???) and responds with a redirect to RP STS, redirect contains auth_token. (I'm unsure of the parts that go into an openid connect login flow)
RP STS receives user token and gets / asks for user data, builds claims and builds local session
RP STS sends claims in SAML token via WSFed to RP site
Am I even close?
Further clarification:
I do not want to remove the existing STS, but abstract the new infrastructure change behind it so that from the end-user-sites perspective, identity objects and authorization logic will remain unchanged.
I need help specifically in seeing if the login/logout flow is doable between the STS and the Open ID Connect IDP
WIF and OpenID Connect are completely different protocols e.g. WIF is mainly browser based in the passive profile. The token types are different - SAML and JWT etc.
The way to do this is via OWIN (Katana is the Microsoft implementation). There are NuGet packages for both WS-Fed and OpenID Connect.
There are samples available for Azure AD - refer Microsoft Azure Active Directory Samples and Documentation that you could use as a guide.
OWIN would allow you to use both protocols.
In fact, have a look at IdentityServer3.
This is an open source STS implementation of both.

Request ADFS security token from the backend of single sign-on enabled ASP.NET website

I have a single sign-on enabled ASP.NET web site which uses ADFS for authentication. On logon users are redirected to the ADFS sign-in page, then my application gets FedAuth cookies back and doesn't store any user passwords.
What I need to do is to contact a third-party service (namely, SharePoint), which is configured to use the same ADFS server for authentication, from the web site backend. I've learned that I should be able to do so by getting another security token using some WIF (WCF in fact) calls described for example here http://blogs.technet.com/b/speschka/archive/2010/06/04/using-the-client-object-model-with-a-claims-based-auth-site-in-sharepoint-2010.aspx.
My problem is I don't know how to provide authentication for such calls using the information implicitly available in single sign-on cookies. I do not have explicit credentials nor Windows authentication.
The code I'm trying to use follows:
WSTrust13ContractClient trustClient = new WSTrust13ContractClient(binding, address);
trustClient.ClientCredentials.Windows.AllowNtlm = true;
trustClient.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
trustClient.ClientCredentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
System.ServiceModel.Channels.Message response =
trustClient.EndIssue(trustClient.BeginIssue(
System.ServiceModel.Channels.Message.CreateMessage(
MessageVersion.Default, WSTrust13Constants.Actions.Issue,
new RequestBodyWriter(trustSerializer, rst)), null, null));
It fails with "The HTTP request was forbidden with client authentication scheme 'Negotiate'" message.

SAML 2.0 security token

I have a web application which uses an identity provider for authentication in accordance with SAML 2.0 protocol.
Does this web application (service provider) have to validate a security token (provided by IdP when an user log in the web application) for each web server request.
In my opinion, there is no need to validate security token for each server request. The SAML protocol requires token validation only in necessary cases (authentication, authorization).
Am I right or od I have to implement token validation for each web server request?
No, the service provider does not need to validate the SAML assertion for every request.
SAML assertion contains information about the user, such as who the username is, how the user is authenticated by identity provider, and so on. Once the service provider obtains this SAML assertion from identity provider, it verifies the SAML assertion, and log-ins the user to the service provider. Once the user is logged-in, the user only needs to use the same authenticated session to access protected resource at the service provider. The user does not have to send SAML assertion.

Integration Sharepoint 2010, ADFS 2.0 and ThinkTecture IdentityServer

I have the following scenario:
Sharepoint 2010 with Claims based authentication web application.
ADFS 2.0 which has configured Claims provider trust to the ThinkTecture IdentityServer.
ThinkTecture IdentityServer which has configured ADFS 2.0 as a relying party.
Sharepoint 2010 has SPTrustedIdentityTokenIssuer configured pointing to ADFS 2.0.
Now when I'm loging to the Sharepoint, I'm redirected to the ADFS 2.0 Home Realm page, when I choose Identity Provider. Then I'm redirected to the ThinkTecture IdentityServer. Then I'm logged with my credentials from IdentityServer and I'm redirected back to the ADFS and then to the Sharepoint. The problem is, that sharepoint show error message. I'am adding log records from sharepoint:
Authenticated with login provider. Validating request security token.
Trusted login provider 'SAML2 Provider' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm.
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest()
Access Denied: Authentication is required.
I was find out, that the token returned from Identity Server to ADFS contains emailaddress claim, but the token returned from ADFS to SP does not. It is a strange, because I have ADFS configured to support emailaddress to pass through for all claims
(in Claims provider trust for identity server). Do I need to setup adfs somewhere else? I am newbie in adfs.
What I want to achieve is to forward my request through the ADFS to the IdentityProvider (in this case ThinkTecture IdentityServer) and to get back the token from IdentityProvider. ThinkTecture IdentityServer is only in my test environment in the real environment it will replaced by Oracle Identity Federation.
The target problem is to integrate Sharepoint 2010 with the Oracle Identity Federation. But the problem is, that the Sharepoint doesn't support SAML 2 protocol which OIF will provides as exclusive endpoint binding. So I'm trying to hack it with the ADFS (as a somethinkg like proxy) which will communicate with Sharepoint based on the SAML 1.1 on one side and with the OIF based on the SAML 2 on other side.
This is the following extract from IdP metadata:
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">...
So I have no option to use WS-Federation.
I will appreciate advise if this is a good way how to achieve the required behaviour.
thanks
So your path is SP -> ADFS -> IdentityServer?
The problem is that the email address is not being passed through. So you have to set up IdentityServer to generate the email address claim and you have to setup ADFS to pass through all claims. Then configure SP to accept email address as a claim (using the SP Powershell commands).
Add: You need to create pass through claim rules for the email claim in ADFS - both for the claims provider trust and the relying party trust.
OIF supports WS-Federation - refer ORACLE IDENTITY FEDERATION 11g R2 - so no problem to federate OIF with SP.