ACS cannot read Identity Provider Federation Data

Category: azure security

Question

sharpster1 on Sun, 19 Jan 2014 21:03:17


I'm setting up a lab where I have two Domain Controllers with AD FS installed.  I want to federate these Identity Providers with Azure ACS.  Because it is a lab I'm using self-signed certs for the AD FS services on port 443.

I can successfully navigate to the \FederationMetadata\2007-06\FederationMetadata.xml from a browser but when I try to use that address in the Identity Provider page of my ACS it says

Unable to download a WS-Federation metadata document from the specified URL

I'm wondering if ACS is tripping over the self-signed cert.  Can ACS use Identity Providers hosted on an SSL port with a self-signed cert?

Replies

Oliverfan on Mon, 20 Jan 2014 09:07:27


Hi,

>>Unable to download a WS-Federation metadata document from the specified URL

About this issue, I suggest you have a look at the following thread .

#http://social.msdn.microsoft.com/Forums/windowsazure/en-US/fae7b786-9ed2-4010-a929-6ba9b838e199/acs-not-able-to-read-the-federation-metadata-url?forum=windowsazuresecurity

Hope this helps

MingXu-MSFT on Mon, 20 Jan 2014 14:59:42


Hi,

May I know whether you can access the ADFS from internet? If not, then ACS is unable to access it as well. As a workaround, you may want to upload the metadata file directly inside the portal

Or save it in an internet website (such as a Windows Azure web site). Based on my understanding, the metadata needs to be hosted in internet, as ACS needs to read its content. The actual federation does not involve ACS requesting anything from your STS, so even if it's not accessible from internet, it could work fine.

Best Regards,

Ming Xu

sharpster1 on Tue, 21 Jan 2014 23:14:18


I can confirm that self-signed certificates for the AD FS service certificate do not work.  Once I installed a CA created certificate it worked with no problem.