Question

RDevelopment on Mon, 04 Mar 2013 16:24:08


Hi! I'm using ACS with Windows Live and ADFS as identity providers. I got it working with one organization, having in web.config:

realm="https://orgA.myDomain.com"
<audienceUris>
        <add value="https://orgA.myDomain.com" />
</audienceUris>

My problem comes when I try to add another RP application, as "https://orgB.myDomain.com" that will use just ADFS and pointing to the same cloud service. So I guess at this point I must have different realm url.

I have tried it, in first time using the ACS Management Portal, being the most logical, having different relying party applications with differents providers being manage for the this portal, but after a try and searching information for it, I saw that I should write some code for add each relaying party application, as explained here

In this point I'm getting the ACS60006: Attempted to insert a new copy of an object that already exists in the database error.

So my question is, is that the correct way for achieve what I want?


Sponsored



Replies

Oren Melzer on Tue, 05 Mar 2013 00:02:03


You need to ensure that the realm and reply addresses of your second relying party are different than the first. You may be able to look at the UI (or just do this in the UI) to give you a hint about what's going wrong.

RDevelopment on Tue, 05 Mar 2013 09:29:21


Yes, they are different. One realm is: ..orgA and the other ..orgB. Even I updated now one realm like: https://orgA.myDomanin.com/About and nothing change.

When I go to https://orgB.myDomanin.com, I'm redirected to ACS but is using the realm that I specified in the web.config, something like:

https://name.accesscontrol.windows.net/v2/wsfederation?wa=sigin1.0&wtrealm=https%3a%2f%orgA.myDomain.com%2.... 

but if I manually change it to:

https://name.accesscontrol.windows.net/v2/wsfederation?wa=sigin1.0&wtrealm=https%3a%2f%orgB.myDomain.com%2

works like it should.

RDevelopment on Tue, 05 Mar 2013 10:40:07


I get this working thanks to a Sandrino entry blog (Thanks!): http://fabriccontroller.net/blog/a-few-tips-to-get-up-and-running-with-theazure-appfabric-access-control-service, see Updating your realm section. In case the blog is inaccessible I copy the code here, it has to be inside this method:

private void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
    {
        // Get the request url.
        var request = HttpContext.Current.Request;
        var requestUrl = request.Url;
 
        // Build the realm url.
        var realmUrl = new StringBuilder();
        realmUrl.Append(requestUrl.Scheme);
        realmUrl.Append("://");
        realmUrl.Append(request.Headers["Host"] ?? requestUrl.Authority);
        realmUrl.Append(request.ApplicationPath);
        if (!request.ApplicationPath.EndsWith("/"))
            realmUrl.Append("/");
        e.SignInRequestMessage.Realm = realmUrl.ToString();
    }

Oren Melzer on Tue, 05 Mar 2013 19:13:39


Jorge, that code shouldn't be necessary unless both of your RPs are running the same code as a multi-tenant service. If that is the case, that approach is correct. If not, take a look at the following section in your web.config file. In particular, the realm value in <federatedAuthentication> should be orgB for RP B.

  <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="realm" />
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://yournamespace.accesscontrol.windows.net/v2/wsfederation" realm="realm" requireHttps="false" />
        <cookieHandler requireSsl="false" />
      </federatedAuthentication>

RDevelopment on Wed, 06 Mar 2013 12:23:29


Hi Oren! yes, both RPs are running the same code, that's why I was having problems with the redirect to the realm in the web.config.

But now the problem comes when I try to use a custom login page. I have added an .aspx page and copy the content of the .html that I downloaded from the ACS Portal. This works for the default RP with Windows Live and ADFS.

But for being working with the second RP using the same login page, I'm following these steps, that through me a redirect error.

In the Page_Load, I'm trying to set up the realm like this, just with testing pruporses

returnRealm = Server.UrlEncode("https://orgB.mydomain.com/");

Having in the <script src=

...protocol=wsfederation&amp;realm=<%=returnRealm%>&amp;reply_to=&amp;context=

Is that a correct way to handle this?

Thanks!


Oren Melzer on Wed, 06 Mar 2013 21:44:09


Looks about right. Just ensure that everything is URL encoded correctly. Do you receive an error when you try this? If so, what is the error?

RDevelopment on Thu, 07 Mar 2013 12:50:10


Yes, that code was right. I was getting "returnRealm is not declared. It may be inaccessible due to its protection level". So the problem there was that when I copied the .html content to the .aspx, I didn't include the CodeBehind tag.

Now everything seems to work as I would like, working on modify the custom login page. Thanks for your help I appreciate that!