This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Problems with ADFS 3.0 external IDP - authentication problems on party trust

Question
0

Sign in to vote

Hi All

I've been looking for a solution for my problem for a couple days without no luck. I have 2 federated domains, let's say that one is contoso.com, and the other one is contoso.net. Contoso.net is the local domain and the contoso.com is the external domain, that is federated.

I create the Claims Provider trust, and I'm able to successfully use both authentication on the adfs internal signon website.

Now my problem came when I create a relaying application or and application group.. I'm able to login with no problem using the internal, contoso.net, but im not able to use the external authentication, contoso.com.

Hope that someone can help me with this issue.

Thanks

Tuesday, January 29, 2019 3:59 PM

Answers

0

Sign in to vote
After a lot of hours researching, I found out the problem. The problem is that during the trust wizard configuration a required variable isn't configured, this variable is AnchorClaimType. This variable is used to construct the Token on the ADFS response after login.

To fill this variable, you will need to run this powershell code.

set-adfsclaimsprovidertrust -targetidentifier identifier -AnchorClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

This will fix the problem and let you authenticate on more than one trust on adfs.

Thanks
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Wednesday, February 6, 2019 7:11 PM
- Marked as answer by Hamid Sadeghpour SalehMVP Thursday, September 5, 2019 8:10 AM
Tuesday, February 5, 2019 2:10 PM