0
我想將2個adfs實例鏈接在一起。我們有一個受一個ADFS保護的應用程序,另一個AD中的用戶也使用ADFS來保護應用程序。現在我試圖讓一個ADFS保護的應用程序訪問其他ADFS中的用戶。如何讓一個ADFS信任另一個ADFS
在AD中擁有AD用戶的ADFS中,我建立了一個新的RelyingParty,它是另一個ADFS實例。
在保護應用程序的ADFS中,我設置了聲明提供程序信任,我通過指向具有Active Directory中的用戶的ADFS實例的元數據來實現此目的。這似乎工作。
現在,當我嘗試訪問受保護的應用程序時,我得到SSO證書的證書錯誤,點擊這些證書,然後它將我彈回到RP ADFS,並顯示一個頁面,讓我選擇驗證AD或我的ID ADFS實例。我選擇了我剛剛設置的ID ADFS,單擊繼續,它將我彈回到登錄頁面。登錄後,它將我彈回RP ADFS服務器,然後出現一個錯誤,並附帶參考編號。當我查看事件日誌中的參考編號時,我會看到2或3個錯誤。
第一是關於撤銷列表
試圖建立聲明提供信任「http://dev-sso.xxxxxxx.com/adfs/services/trust」證書通過指紋「54xxxxxxxxxxxxxxxxxxxxxxE28C9A57481」鑑定證書鏈時出錯。可能的原因是證書已被吊銷,證書鏈無法按照聲明提供商信任的簽名證書吊銷設置或證書不在其有效期內指定的方式進行驗證。
二是
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier