0

I have followed this article Using IdSrv2 as IP-STS with membership store and can work fine on my first client App with returnurl: abc.com/a.aspx in one of the Relying Parties & Resources.

For my scenario I just want to create a Identity Provider I created. this is because I don't want to show all of the Idendity providers that I created in the HRD page just want to show my IDP and the other idnetity services from social network(facebook, google+, etc.) .

but I met it always return to the abc.com/a.aspx when I login to my second client app.is there any solution to solve my problem ?

Aggis Wu
  • 99
  • 1
  • 10

1 Answers1

2

I have created the setup that I believe you are trying to achieve. So I have Portal1 and Portal2. Both portals are set to authenticate users agains idsrv2 (thinktecture identityserver) and are set to use HRD. Idsrv2 is set to delegate authentication of users through HRD to idsrv (thinktecture identityserver).

The configuration of Portal1 web.config (only the important part) is

<system.identityModel>
        <identityConfiguration>
          <audienceUris>
            <add value="https://localhost/Portal1/" />
          </audienceUris>
          <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
            <authority name="http://idsrv2">
              <keys>
                <add thumbprint="BCD339ECD62BC50DEDA3B54D2236D12AE1217687" />
              </keys>
              <validIssuers>
                <add name="http://idsrv2" />
              </validIssuers>
            </authority>
          </issuerNameRegistry>
          <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
          <certificateValidation certificateValidationMode="None" />
        </identityConfiguration>
    </system.identityModel>
    <system.identityModel.services>
        <federationConfiguration>
          <cookieHandler requireSsl="false" />
          <wsFederation passiveRedirectEnabled="true" issuer="https://localhost/idsrv2/issue/hrd" realm="https://localhost/Portal1/" requireHttps="false" />
        </federationConfiguration>
    </system.identityModel.services>

And configuration of Portal2 (also important parts only) is:

<system.identityModel>
    <identityConfiguration>
        <audienceUris>
            <add value="https://localhost/Portal2/" />
        </audienceUris>
        <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
            <authority name="http://idsrv2">
                <keys>
                    <add thumbprint="BCD339ECD62BC50DEDA3B54D2236D12AE1217687" />
                </keys>
                <validIssuers>
                    <add name="http://idsrv2" />
                </validIssuers>
            </authority>
        </issuerNameRegistry>
        <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
        <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="false" />
        <wsFederation passiveRedirectEnabled="true" issuer="https://localhost/idsrv2/issue/hrd" realm="https://localhost/Portal2/" requireHttps="false" />
    </federationConfiguration>
</system.identityModel.services>

Now, configuration of idsrv (the parts I believe are important):

General configuration

Key configuration

WSFederation protocol configuration

Identity Providers

Relaying parties

And finally the configuration of idsrv2:

General configuration

Key configuration

WSFederation protocol configuration

Identity providers

Relaying parties

RP for Portal1 configuration

RP for Portal2 configuration

And last the network flow when authenticating on Portal1

Network flow

pepo
  • 8,644
  • 2
  • 27
  • 42
  • I would like to show the HRD page for user login, but now I have two client applications A (abc.cloudapp.net/oauthclient2/) and B (XYZ.cloudapp.net/oauthclient3/), A and B will provide the same wsfed identity provider(IDP) names "TMIDP" login button at HRD page that I created but at the "Relying Parties & Resources" settings I also created a RP names "TMIDP". the RP "TMRP" I have to set the "A" url to be the Redirect URL .I would like to make IDP "TMIDP" can serve another client application B and can redirect to B.but it always redirect to A.How can I make TMIDP can redirect to A and B? – Aggis Wu Apr 03 '14 at 13:46
  • Set application B as Relaying Party the same way as you set application A as relaying party. Choose a different realm for application B and set redirect url to application B. Now users accessing any application A or B will have to authenticate. If you want to accept token issued to application A in application B then set both realms in audience uri of both applications. – pepo Apr 03 '14 at 18:49
  • I keep the settings as [HRD‌](https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/651)​. then I followed you mentioned to create a RP for B application and set different realm of this B RP. but I confused that how can I configurate the web.config in A and B.when I login to B that B still be redirected to A. – Aggis Wu Apr 04 '14 at 00:01
  • Did you set redirect url in RP_B to application B? You mentioned that you set only different realm. – pepo Apr 04 '14 at 07:18
  • Yes,I did. I set redirect url to application B, but I still redirect to application A whem I was login to B. – Aggis Wu Apr 04 '14 at 07:32
  • And waht realm did you specify in apllication B config file? It should be the new realm (that you set for RP_B) – pepo Apr 04 '14 at 07:34
  • yes,I specify the new realm that I set for RP_B in application B,I think the SiteID of identity server general configuration is be related to Realm/Scope Name of RP_A I set for application A. because if I change the RP_A Realm to another one. application A and B will not be redirected and show the "Invalid realm" message at error page. – Aggis Wu Apr 04 '14 at 08:55
  • Hi pepo, you give me a key hint. in my senario, I just need a identity server , so I try to revise your example to fit for my use case. I just wrote a wiki content to explain how I set up the HRD on my senario. [Thinktecture Identity Server V2 using HRD](https://github.com/boosterwu/Thinktecture-Building/wiki/Thinktecture-Identity-Server-V2-using-HRD) – Aggis Wu Apr 06 '14 at 16:21