I have a custom STS (CSTS) running perfectly fine. Now we want to integrate with customers' ADFS and Azure AD's identified based on user's email.
As a first test setup, I have setup my local instance of CSTS (localhost based) to redirect to a test Azure AD. This test Azure AD has been setup with admin/test accounts, 2 applications like showclaims and my localhost based CSTS.
When a user tries to login, I redirect using WS-Federation to Azure AD to get the user authenticated. Idea is to get the token back into my CSTS, create the user within my system if does not exist (auto-provisioning) and generate claims, merge claims and send token to the relying party the user is coming from to my CSTS acting as an R-STS.
However, I am hitting a roadblock somewhere in the Azure AD configuration I believe. When I try to sign with the admin account to my CSTS or test app redirected to test Azure AD, I get this error below:
User does not have access to the application.
ACS50001: ACS50001: Relying party with identifier https://localhost/myCSTS/
was not found
I read somewhere that admin/user needs to give consent to give access to an application. However, I am unable to find such configuration anywhere in user or application configuration pages in Azure AD.
So questions are:
1. Why is it saying relying party not found and seems that the error is an ACS error?
2. Do I have to configure ACS to use this test AD? In this case, my ID provider will be ACS's internal STS (or other configured ID provider) rather than Azure AD.
3. Where do I give consent for access to applications?
4. Do I have to enable multifactor authentication for this to work?
5. Can we use localhost based applications for testing in Azure AD? It does not give an error but I have not seen samples using localhost either. (I cannot really use a registered domain based CSTS/test application for my testing.)
Any answers would be appreciated!