0

I am getting a strange error from ADFS 2.0 event Log as follows:

"The Federation Service could not fulfill the token-issuance request because the relying party 'https://my-relying-party' is missing a WS-Federation Passive endpoint address.

Relying party: https://my-relying-party

This request failed.

User Action

Use the AD FS 2.0 Management snap-in to configure a WS-Federation Passive endpoint on this relying party."

This happens after SAML response is verified successfully by ADFS 2.0 but apparently fails to issue a token for the relying party application.

I configured in ADFS 2.0 both IDP and SP as SAML 2.0 so I don't understand why is WS-Federation endpoint is expected?

Any help will be appreciated.

Joshua
  • 1,974
  • 2
  • 23
  • 39

4 Answers4

3

Is your web application talking the WS-Federation protocol or the SAML protocol (SAML-P)? If your web application is based on WIF, then you are using WS-Federation. Note that both protocols use SAML tokens.

If your application talks the WS-Federation protocol, then in your AD FS Relying Party Trust you need to set the WS-Federation endpoint(s). If it talks the SAML protocol, you need to set the SAML protocol endpoint(s).

Based on your error message, your application probably talks WS-Federation, therefore you need to set the WS-Federation endpoint.

MarnixKlooster ReinstateMonica
  • 9,640
  • 14
  • 54
  • 108
  • - My IDP talks SAML 2.0. - ADFSv2 is configured with SAML endpoints for both Relying Party Trust and Claims Provider Trust (each contains a single SAML endpoint) Sorry.. I am not sure what my web application talks. I created a new ASP.NET project using VS 2010 and copied web.config from the following URL: http://alt.pluralsight.com/wiki/default.aspx/Keith/SettingUpADFSSampleApp.html I couldn't find any template in VS 2010 for SAML consumer Web Application, so I am playing around to find the correct solution. Thanks for your help! – Joshua Feb 16 '11 at 15:42
2

You need to add the web application url to the endpoints in the properties of you relying party.

enter image description here

flayn
  • 5,272
  • 4
  • 48
  • 69
2

The integration between your SAML 2.0 SP (ADFSv2) and your RP Application is done via WS-Federation Passive Requester Profile. So you'll need to setup your application to receive the WS-Fed Response and parse it appropriately. You'll also have to configure ADFSv2 to generate this message as well (per the error message you received).

Hope this helps - Ian

Ian
  • 4,227
  • 18
  • 19
  • That explains the error message.. Thanks a lot! I'll try adding a WS-Fed endpoint to the relying party in ADFSv2 and see how it goes. – Joshua Feb 15 '11 at 15:52
1

add ws-federation passive reference manually or in federation file will solve the problem.

Please let me know if you need detail guidance.

kunjee
  • 2,739
  • 1
  • 23
  • 38