none
Wildcard / Dynamic Realm

    Question

  • This seems like it would be so obvious, but I can't seem to find an example.

    This forum answer refers to dynamic realms and provides a good example on building the proper realm request to ACS.

    http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/c5a265bd-e5f7-419e-a079-fca9a19e7ec3

    However I get the following error
    ACS50001: Requested relying party realm 'http://tenant.localhost.company.com/' is unknown            
       

    My question is simple, how do you specify wildcard names in the ACS management portal for a realm.  I tried setting the Realm on my Reply Party to *.localhost.company.com and that did not work (see error)


    || Aaron Elder - Dynamics CRM MVP || http://xrm.ascentium.com/blog/crm

    Monday, April 16, 2012 5:34 PM

Answers

  • You can't do that on the ACS side. You have to explicitly set up an RP for each realm.

    You may be better off having a single realm, and when ACS returns the token to the root site, you have code that figures out which tenant should receive the token.


    Developer Security MVP | www.syfuhs.net

    • Proposed as answer by ProVega Wednesday, April 18, 2012 8:56 PM
    • Marked as answer by Aaron E. _ Wednesday, April 18, 2012 8:58 PM
    Monday, April 16, 2012 7:48 PM
  • It looks like the best way to pass this is via wctx (context), as it is the only parameter that is always passed and transparent to the various systems in the chain.
    • Proposed as answer by ProVega Wednesday, April 18, 2012 8:56 PM
    • Marked as answer by Aaron E. _ Wednesday, April 18, 2012 8:58 PM
    Wednesday, April 18, 2012 8:56 PM

All replies

  • You can't do that on the ACS side. You have to explicitly set up an RP for each realm.

    You may be better off having a single realm, and when ACS returns the token to the root site, you have code that figures out which tenant should receive the token.


    Developer Security MVP | www.syfuhs.net

    • Proposed as answer by ProVega Wednesday, April 18, 2012 8:56 PM
    • Marked as answer by Aaron E. _ Wednesday, April 18, 2012 8:58 PM
    Monday, April 16, 2012 7:48 PM
  • Thank you for the reply.

    That is what I was afraid of.  As I have read more, this seems like a possible way to go.  

    Is there a best practice here?  Is there any easy way I can pass a querystring token to the ReturnUrl?  The workflow is a user will go to orgname.company.com, I need them to sign in to app.company.com then redirect them back to orgname.company.com.

    Monday, April 16, 2012 7:58 PM
  • Hi,

    Yes, ReturnUrl can be edit but Realm not, it's not safety if ACS RP can be updated during the application running.

    Try to follow:

    http://msdn.microsoft.com/en-us/library/windowsazure/hh180180.aspx

    Hope this helps.


    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

    Tuesday, April 17, 2012 6:38 AM
  • It looks like the best way to pass this is via wctx (context), as it is the only parameter that is always passed and transparent to the various systems in the chain.
    • Proposed as answer by ProVega Wednesday, April 18, 2012 8:56 PM
    • Marked as answer by Aaron E. _ Wednesday, April 18, 2012 8:58 PM
    Wednesday, April 18, 2012 8:56 PM