0

We are trying to add AD FS as a SAML identity provider using custom policies in Azure Active Directory B2C. We have configured the AD FS server using federation server proxy. We have followed the following links for the setup: https://learn.microsoft.com/en-us/office365/troubleshoot/active-directory/set-up-adfs-for-single-sign-on https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/design/when-to-create-a-federation-server-proxy

We have added AD FS server as a SAML identity provider in AD B2C using the following link: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-adfs?pivots=b2c-custom-policy

Now when we click on the SAML identity provider we are getting the following error: Unable to resolve the IP address for the metadata endpoint 'My-Domain-Name/FederationMetadata/2007-06/FederationMetadata.xml'

Does anyone have any idea/suggestion to resolve this issue? We have followed all the steps in the reference but still not able to get over this issue.

Mohit Aggarwal
  • 7
  • 5
  • where have you hosted FederationMetadata.xml? Make sure it is accessible from azure network. For a slightly different use case I had simply uploaded FS metadata.xml to blob storage and used its URL – Sadiq Khoja Jan 22 '21 at 15:47
  • Hello Sadiq, Thanks for the response. Azure is interacting directly with the ADFS server using the relying party trust.I have followed the following link:https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-adfs?pivots=b2c-custom-policy. Will it be helpful to host it somewhere for eg. Storage Account? – Mohit Aggarwal Jan 22 '21 at 15:54
  • I would do a simple test, from any azure hosted VM try to access FS metadata file. I think azure is unable to resolve your DNS – Sadiq Khoja Jan 22 '21 at 16:01
  • Thanks Sadiq.That would be really helpful. Please let me know your observations. – Mohit Aggarwal Jan 22 '21 at 16:17
  • you have to do that test, I don't have access to your FS and your azure resources :) – Sadiq Khoja Jan 22 '21 at 16:19
  • Ok, Sorry I thought you were talking about your environment :). I will test that out and will share the result here. – Mohit Aggarwal Jan 22 '21 at 16:27
  • Hello Sadiq,I uploaded the federation metadata file to Azure storage account and was able to access the file.But now I am facing the following error: 'My-Policy-Name' policy in 'My-Tenant-Name' specifies the subject claim 'sub' which is missing in the claims collection. – Mohit Aggarwal Jan 25 '21 at 13:03
  • Edit your azure policy and remove 'sub' claim (not sure if that's possible) or other option is to modify configuration in FS to add 'sub' in claim list, you would need to reupload metadata file – Sadiq Khoja Jan 25 '21 at 13:22
  • Hello Sadiq, It is not allowing to remove 'sub' claim in the custom policy. I have also added the 'sub' claim in the ADFS server claims list and have re-uploaded the metadata file. But it is still showing the same error. – Mohit Aggarwal Jan 27 '21 at 07:24

0 Answers0