0

I have the following scenario:

  • Sharepoint 2010 with Claims based authentication web application.
  • ADFS 2.0 which has configured Claims provider trust to the ThinkTecture IdentityServer.
  • ThinkTecture IdentityServer which has configured ADFS 2.0 as a relying party.
  • Sharepoint 2010 has SPTrustedIdentityTokenIssuer configured pointing to ADFS 2.0.

Now when I'm loging to the Sharepoint, I'm redirected to the ADFS 2.0 Home Realm page, when I choose Identity Provider. Then I'm redirected to the ThinkTecture IdentityServer. Then I'm logged with my credentials from IdentityServer and I'm redirected back to the ADFS and then to the Sharepoint. The problem is, that sharepoint show error message. I'am adding log records from sharepoint:

Authenticated with login provider. Validating request security token.

Trusted login provider 'SAML2 Provider' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'

SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm.
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest()

Access Denied: Authentication is required.

I was find out, that the token returned from Identity Server to ADFS contains emailaddress claim, but the token returned from ADFS to SP does not. It is a strange, because I have ADFS configured to support emailaddress to pass through for all claims (in Claims provider trust for identity server). Do I need to setup adfs somewhere else? I am newbie in adfs.

What I want to achieve is to forward my request through the ADFS to the IdentityProvider (in this case ThinkTecture IdentityServer) and to get back the token from IdentityProvider. ThinkTecture IdentityServer is only in my test environment in the real environment it will replaced by Oracle Identity Federation.

The target problem is to integrate Sharepoint 2010 with the Oracle Identity Federation. But the problem is, that the Sharepoint doesn't support SAML 2 protocol which OIF will provides as exclusive endpoint binding. So I'm trying to hack it with the ADFS (as a somethinkg like proxy) which will communicate with Sharepoint based on the SAML 1.1 on one side and with the OIF based on the SAML 2 on other side.

This is the following extract from IdP metadata: 

<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">...

So I have no option to use WS-Federation.

I will appreciate advise if this is a good way how to achieve the required behaviour.

thanks

zosim
  • 2,959
  • 6
  • 31
  • 34

1 Answers1

0

So your path is SP -> ADFS -> IdentityServer?

The problem is that the email address is not being passed through. So you have to set up IdentityServer to generate the email address claim and you have to setup ADFS to pass through all claims. Then configure SP to accept email address as a claim (using the SP Powershell commands).

Add: You need to create pass through claim rules for the email claim in ADFS - both for the claims provider trust and the relying party trust.

OIF supports WS-Federation - refer ORACLE IDENTITY FEDERATION 11g R2 - so no problem to federate OIF with SP.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Yes, the path is right SP->ADFS->IdentityServer. The problem with OIF is that in the client configuration it only supports SAML2 protocol. I have updated my question based on your answer (because it was too long for a comment). I'm still solving issue with the emailaddress claim is not going through from ADFS to SP. SP is configured to accept emailaddress as a claim. – zosim Jan 20 '13 at 00:52
  • thanks guys, now it is working fine. I had a mistake in my adfs configuration. In my previous tests I configured adfs to use Send LDAP atribute template(with emailaddress claim) in my Relying party. After changing it to Pass through it works fine. – zosim Jan 20 '13 at 19:06