How do you get one ADFS to trust another ADFS

0
votes

I am trying to chain 2 adfs instances together. We have an application protected by one ADFS and users that are in another AD that also uses ADFS to protect applications. Now I am trying to give access to an application protected by one ADFS to the users in the Other ADFS.

In the ADFS that has the users in AD, I have set up a new RelyingParty that is the other ADFS instance.

In the ADFS that protects the application I have set up a Claims Provider trust, I did this by pointing at the metadata of the ADFS instance that has the users in Active Directory. This seems to be working.

Now when I try to access my protected application, I get certificate errors for the SSO certs, I click through those then it bounces me to the RP ADFS and a page displays giving me the choice of authentication either AD or my ID ADFS instance. I choose the ID ADFS that I have just set up, click continue and it bounces me to the log in page. After logging in it bounces me back to the RP ADFS server and then I get an error, with a reference number. When I look up the reference number in the event log I see either 2 or 3 errors.

the first is about a revocation list

An error occurred during an attempt to build the certificate chain for the claims provider trust 'http://dev-sso.xxxxxxx.com/adfs/services/trust' certificate identified by thumbprint '54xxxxxxxxxxxxxxxxxxxxxxE28C9A57481'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period.

The second is 

The Federation Service encountered an error while processing the WS-Trust request. 

Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue 

Additional Data 

Exception details: 

Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

    (

    IsReadOnly = False,

    Count = 1,

    Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause

    )

'. Ensure that the SecurityTokenResolver is populated with the required key.

   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()

   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()

   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()

   at System.Xml.XmlReader.ReadEndElement()

   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)

   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()

   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)

   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)

   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)

   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)

   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)

   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)

   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)

Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
1
adfs2.0

1 Answers

0
votes

I decided to disable the revocation list check. I think the issue is a proxy or firewall that sits in the way, in production we will have real certificates and so I think this will be less of a problem.
So not really the answer but enough to move on.