locked
Problems with ADFS 3.0 external IDP - authentication problems on party trust RRS feed

  • Question

  • Hi All

    I've been looking for a solution for my problem for a couple days without no luck. I have 2 federated domains, let's say that one is contoso.com, and the other one is contoso.net. Contoso.net is the local domain and the contoso.com is the external domain, that is federated. 

    I create the Claims Provider trust, and I'm able to successfully use both authentication on the adfs internal signon website. 

    Now my problem came when I create a relaying application or and application group.. I'm able to login with no problem using the internal, contoso.net, but im not able to use the external authentication, contoso.com. 

    Hope that someone can help me with this issue. 

    Thanks

    Tuesday, January 29, 2019 3:59 PM

Answers

  • After a lot of hours researching, I found out the problem. The problem is that during the trust wizard configuration a required variable isn't configured, this variable is AnchorClaimType. This variable is used to construct the Token on the ADFS response after login. 

    To fill this variable, you will need to run this powershell code.

    set-adfsclaimsprovidertrust -targetidentifier identifier -AnchorClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    This will fix the problem and let you authenticate on more than one trust on adfs.

    Thanks

    Tuesday, February 5, 2019 2:10 PM