sharpster1 on Sun, 19 Jan 2014 21:03:17
I'm setting up a lab where I have two Domain Controllers with AD FS installed. I want to federate these Identity Providers with Azure ACS. Because it is a lab I'm using self-signed certs for the AD FS services on port 443.
I can successfully navigate to the \FederationMetadata\2007-06\FederationMetadata.xml from a browser but when I try to use that address in the Identity Provider page of my ACS it says
Unable to download a WS-Federation metadata document from the specified URL
I'm wondering if ACS is tripping over the self-signed cert. Can ACS use Identity Providers hosted on an SSL port with a self-signed cert?
Oliverfan on Mon, 20 Jan 2014 09:07:27
>>Unable to download a WS-Federation metadata document from the specified URL
About this issue, I suggest you have a look at the following thread .
Hope this helps
MingXu-MSFT on Mon, 20 Jan 2014 14:59:42
May I know whether you can access the ADFS from internet? If not, then ACS is unable to access it as well. As a workaround, you may want to upload the metadata file directly inside the portal
Or save it in an internet website (such as a Windows Azure web site). Based on my understanding, the metadata needs to be hosted in internet, as ACS needs to read its content. The actual federation does not involve ACS requesting anything from your STS, so even if it's not accessible from internet, it could work fine.
sharpster1 on Tue, 21 Jan 2014 23:14:18
I can confirm that self-signed certificates for the AD FS service certificate do not work. Once I installed a CA created certificate it worked with no problem.