locked
ADFS3 Claims Provider Trust using Identifier https://sts.windows.net/{tenantid}/ RRS feed

  • Question

  • Hello,

    I'm using "https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml" as Claims Provider Trust.
    Importing this XML, configured the multi-tenant Identifier "https://sts.windows.net/{tenantid}/" for the Claims Provider Trust.

    After directions from ADFS I'm ending on the correct logon page(which is great):

    https://login.microsoftonline.com/common/wsfed?wa=wsignin1.0&wtrealm=http%3a%2f%2fADFS.EXAMPLE.COM%2fadfs%2fservices%2ftrust&wctx=19bf2d8b-6604-4055-9314-0ad133a26e99&wct=2017-08-22T14%3a58%3a15Z

    As soon a I enter my Azure AD (Office365) credentials and rediection back to ADFS, ADFS logging gives me the following error message:

    Exception details: 
    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.AuthorityNotFoundPolicyRequestException: MSIS3024: The claims provider trust with identifier 'https://sts.windows.net/78345171c-fake-4d4a-8b57-b8eefsscbadb5/' could not be located.

    ADFS expects information back from: "https://sts.windows.net/{tenantid}/" and NOT "https://sts.windows.net/78345171c-fake-4d4a-8b57-b8eefsscbadb5/", since "https://sts.windows.net/{tenantid}/" is the Identifier for the Claims Provider Trust.

    Since creation of new ACS NamesSpaces are not supported anymore and I need to add multiple Office365 tenants as Claim Provider Trust, I need to work with this (multi-tenant value): "https://sts.windows.net/{tenantid}/", instead of "https://sts.windows.net/78345171c-fake-4d4a-8b57-b8eefsscbadb5/"(Direct tenant call, which works perfect by the way).

    Is there way with help of incoming Claim Rules to fix this?
    B2C is not an option for us.

    I can NOT add multiple Office365 tenants on the same ADFS machine, because of the same certificates.
    (https://sts.windows.net/long-id-number-72363-tenant1/ & https://sts.windows.net/long-id-number-9347883-tenant2/, both using certificate for "sts.windows.net". ADFS does not likes it)

    I'm receiving these values in my response after logging in on Office365:

    <Attribute+Name="http://schemas.microsoft.com/identity/claims/identityprovider">
    <AttributeValue>https://sts.windows.net/78345171c-fake-4d4a-8b57-b8eefsscbadb5/</AttributeValue>
    </Attribute>

    and

    <Attribute+Name="http://schemas.microsoft.com/identity/claims/tenantid">
    <AttributeValue>78345171c-fake-4d4a-8b57-b8eefsscbadb5</AttributeValue>
    </Attribute>

    Again: Is there way with help of incoming Claim Rules on ADFS3 to fix this? Or something else, supported on ADFS3?

    Thanks in advance for your help!!

    Rietesh

    Tuesday, August 22, 2017 1:11 PM

All replies

  • Just to note that ADFS 4.0 fixes the multiple Office365 tenants on the same ADFS machine issue.

    Tuesday, August 22, 2017 9:39 PM
  • Thank you for your response!

    Correct. I'm aware of this, but since we cannot upgrade to Windows Server 2016 I need ti find a solution for ADFS3.

    Any idea?

    Wednesday, August 23, 2017 7:51 AM