How to fix “not a known principal” error with Windows Azure Access Control Service (ACS) and custom STS
https://stackoverflow.com/questions/7637679
-
06-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
I'm working on a proof of concept for Federated Authentication.
I've created a custom STS (basically a re-write of the Windows Identity Foundation Basic STS sample) and set up relying parties to use this successfully.
The next stage of the PoC is to use Azure ACS to allow federated login with Google/LiveID/etc credentials, as well as those provided by the custom STS.
Everything works EXCEPT that I can't get Azure ACS to accept the token from the custom STS.
The errors given are:
ACS20001: An error occurred while processsing a WS-Federation sign-in response
ACS50008: SAML token is invalid
ACS50026: Principal with name 'mysts.mycorp.co.uk' is not a known principal
Now, to me, this looks like ACS is failing to decrypt the SAML token from the custom STS, but the only decryption certificate that's installed in Azure ACS is the one used to sign and encrypt the response token by the Custom STS.
What am I missing here?
Solución
The answer was, of course, staring me in the face...
ACS requires that the issuer name in the federation metadata for the STS perfectly matches that in the token...
In my app.config, I'd missed off the http:// for the issuer name - ACS was interpreting the lack of an introducer as being a certificate reference and was looking for a certificate with issuer CN=mysts.mycorp.co.uk rather than http://mysts.mycorp.co.uk
