Azure - running an app in Azure using ADFS returns the following error: Exception message: ID4014: A SecurityTokenHandler is not

Question

I have my app built and deployed in Azure, utilizing ADFS for authentication. When I access my app, it redirects me to the ADFS log-in page. I log in, and then it redirects me back to my app, where I encounter the following exception:

Exception information: Exception type: SecurityTokenException Exception message: ID4014: A SecurityTokenHandler is not registered to read security token ('BinarySecurityToken', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'). at System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration) at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

This is my first time dealing with ADFS and Azure - few questions:

1. What part of my code would I need to modify to accommodate the Security Token requirement (assuming I need to)? For example, when the user logs in through ADFS, and ADFS redirects the user back to my app, should my app "just work" at that point, and the Login link at the top of the page change to Logout? I'm using MVC4.
2. My company's ADFS server has its own log-in page. Does this mean I can do away with the log-in functionality that comes out of the box with my Azure MVC app?

EDIT Here's the FederationMetadata.xml file with all sensitive data removed: http://mikemarks.net/FederationMetadata.xml

EDIT Here's my system.identityModel and system.identityModel.service section of my web.config:

<system.identityModel>
  <identityConfiguration>
    <audienceUris>
      <add value="https://conocopocazuremike.cloudapp.net/" />
    </audienceUris>
    <!--Commented by Identity and Access VS Package-->
    <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="http://blah/adfs/services/trust"><keys><add thumbprint="blah" /></keys><validIssuers><add name="http://blah/adfs/services/trust" /></validIssuers></authority></issuerNameRegistry>-->
    <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
    <certificateValidation certificateValidationMode="None" />
    <!--Commented by Identity and Access VS Package-->
    <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="http://blah/adfs/services/trust"><keys><add thumbprint="blah" /></keys><validIssuers><add name="http://blah/adfs/services/trust" /></validIssuers></authority></issuerNameRegistry>-->
    <!--Commented by Identity and Access VS Package-->
    <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><trustedIssuers><add thumbprint="blah" name="http://blah/adfs/services/trust" /></trustedIssuers></issuerNameRegistry>-->
    <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
      <authority name="http://blah/adfs/services/trust">
        <keys>
          <add thumbprint="blah" />
        </keys>
        <validIssuers>
          <add name="http://blah/adfs/services/trust" />
        </validIssuers>
      </authority>
    </issuerNameRegistry>
  </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="false" />
    <wsFederation passiveRedirectEnabled="true" issuer="https://blah/adfs/ls/" realm="https://blah.cloudapp.net/" requireHttps="false" />
  </federationConfiguration>
</system.identityModel.services>

Answer 1

This error

ID4014: A SecurityTokenHandler is not registered to read security token ('BinarySecurityToken', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd')

Usually pops out when your application received JWT token, and it is only configured to read SAML or SWT tokens. Other reason might be because a SAML token has been encrypted or binary encoded before sending back to the relying party.

First thing to check is whether both ends (ADFS and Relying Party Application) are configured for the same token type and that the RP (Relying Party) can read the configured token (SAML/SWT/JWT).

In order to fully understand configuration at the Relying party end we need to know following sections of web.config file: system.identityModel, system.identityModel.services, system.webServer. Along with that we also need the configuration of ADFS - how the relying party is configured at ADFS end. What endpoints are configured and what are used. The best tool to investigate is Fiddler.

And to eliminate that Azure is the issue, please verify that your application works correctly in on-premises environment.

Answer 2

Please ensure that in both the ends(ADFS & WIF) same token type is used.

Use SAML token for out of the box support from asp.net.

Can you post your federationMetadata.xml with certificate keys removed?