The same client browser session has made '6' requests in the last '2' seconds

All replies

• 

  

  0

  Sign in to vote

  Let's look at the classics with SharePoint first:

  • Make sure time sync between your ADFS server and the SharePoint servers is working fine
  • Make sure you did not change the maximum token lifetime to 5 minutes

  If both look good to you, then we can have a look at a Fiddler trace. If you go the Fiddler way, please make sure you obfuscate your credentials in the trace.

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Tuesday, October 9, 2018 1:10 PM
• 

  

  0

  Sign in to vote

  PS C:\Users\vlad> $sts | select *time*
  
  
  WindowsTokenLifetime        : 00:02:00
  FormsTokenLifetime          : 00:02:00
  CookieLifetime              : 5.00:00:00
  CookieLifetimeRefreshWindow : 4.00:00:00
  ServiceTokenLifetime        : 10:00:00
  ApplicationTokenLifetime    : 1.12:00:00
  AuthenticatorTokenLifetime  : 1.12:00:00
  ImplicitFlowTokenLifetime   : 30.00:00:00
  LoopbackTokenLifetime       : 10:00:00
  ProofTokenLifetime          : 1.00:00:00
  IdentityTokenLifetime       : 00:20:00
  
  

  Tuesday, October 9, 2018 1:33 PM
• 

  

  0

  Sign in to vote

  Well look at the values for the Share Point RP.

  Regarding the first point? You are good?

  If so, then Fiddler :)

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Tuesday, October 9, 2018 6:29 PM
• 

  

  0

  Sign in to vote

  In Fiddler i see that request is processed between AD FS servers and then external AD FS get error that "MSIS7042: The same client browser session has made '6' requests in the last '2' seconds"

  #	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom	
  19	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d50d9bd6-509e-47d4-b58b-dd1c9de1c782	29,642	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  20	304	HTTPS	adfs.green.local	/adfs/portal/css/style.css?id=0A13280A86E7DFA6949BD016EA848912FCAFC05E88CBEDF538AC325B27041205	0	Expires: Sat, 10 Nov 2018 10:48:23 GMT	text/css	firefox:6924			
  21	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d50d9bd6-509e-47d4-b58b-dd1c9de1c782&client-request-id=d354ff4a-70c4-4065-2900-0080000000f1&pullStatus=0	17,527	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  22	404	HTTPS	adfs.green.local	/favicon.ico	315		text/html; charset=us-ascii	firefox:6924			
  23	200	HTTP	Tunnel to	adfs.green.local:443	0			firefox:6924			
  24	404	HTTPS	adfs.green.local	/favicon.ico	315		text/html; charset=us-ascii	firefox:6924			
  25	200	HTTP	Tunnel to	adfs.green.local:443	0			firefox:6924			
  26	302	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d50d9bd6-509e-47d4-b58b-dd1c9de1c782&client-request-id=d354ff4a-70c4-4065-2900-0080000000f1&pullStatus=0	0		text/html; charset=utf-8	firefox:6924			
  27	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d50d9bd6-509e-47d4-b58b-dd1c9de1c782&client-request-id=d354ff4a-70c4-4065-2900-0080000000f1&pullStatus=0	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  28	502	HTTP	Tunnel to	safebrowsing.googleapis.com:443	512	no-cache, must-revalidate	text/html; charset=UTF-8	firefox:6924			
  29	200	HTTPS	adfs.blue.local	/adfs/ls/	4,929	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  30	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
  31	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
  32	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
  33	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
  34	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
  35	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=e018883d-3694-4d1f-844a-eb2cf7e86725	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  36	404	HTTPS	adfs.blue.local	/favicon.ico	315		text/html; charset=us-ascii	firefox:6924			
  37	200	HTTP	Tunnel to	adfs.blue.local:443	648			firefox:6924			
  38	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  39	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
  40	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
  41	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
  42	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
  43	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
  44	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=9fe6e6f0-93ce-4eb4-87e8-31f1f7c47f1f	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  45	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  46	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
  47	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
  48	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
  49	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
  50	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
  51	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=e3f05dcc-1c87-4b13-ac35-2bcc5630ecf4	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  52	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  53	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
  54	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
  55	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
  56	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
  57	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
  58	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=07267496-fc65-420a-bc97-5547863ca2eb	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  59	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  60	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
  61	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
  62	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
  63	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
  64	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
  65	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=f48acd3a-d27b-4bba-b374-fb8c11125e98	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  66	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
  67	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
  68	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
  69	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
  70	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
  71	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
  72	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d52a4031-1b53-48ed-a53c-f37b6e47d189	10,617	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			

  
  As i understand it i can't log in AD FS with Sharepoint RP
  

  • Edited by Alyushin Vladislav Thursday, October 11, 2018 10:52 AM

  Thursday, October 11, 2018 10:50 AM
• 

  

  0

  Sign in to vote

  Why is the trace starting on ADFS? If it is WS-Fed, it should start on Sharepoint.

  Also, can you share the actual trace file?

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Thursday, October 11, 2018 4:39 PM
• 

  

  0

  Sign in to vote

  https://drive.google.com/file/d/1pgUAEPvO0xSwpvLgVQd5Mx03Uh9M50zF/view?usp=sharing

  Friday, October 12, 2018 5:14 AM
• 

  

  0

  Sign in to vote

  It looks like everything works good from an ADFS perspective.

  You connect to Sharepoint.

  You get redirected to ADFS Blue.

  It looks like the RP is configured to use the ADFS Green Claim Provider trust and you get redirected to Blue.

  You are already authenticated with ADFS Green (apparently at 12.10.2018 5:05:59 - so 5 minutes before your capture).

  You get a token for ADFS Green and hit ADFS Green.

  You then get this token:

  <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-10-12T05:06:11.815Z</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-10-12T05:16:11.815Z</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:sharepoint:sp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_44442132-f999-47f4-aed3-096cd18303ef" Issuer="http://adfs.blue.local/adfs/services/trust" IssueInstant="2018-10-12T05:06:11.815Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2018-10-12T05:06:11.815Z" NotOnOrAfter="2018-10-12T05:16:11.815Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:sharepoint:sp</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="isregistereduser" AttributeNamespace="http://schemas.microsoft.com/2012/01/devicecontext/claims" a:OriginalIssuer="http://adfs.green.local/adfs/services/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims"><saml:AttributeValue b:type="tn:boolean" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">true</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="identifier" AttributeNamespace="http://schemas.microsoft.com/2012/01/devicecontext/claims" a:OriginalIssuer="http://adfs.green.local/adfs/services/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims"><saml:AttributeValue>b5f85737-8484-45ee-b45b-65d34611bf42</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2018-10-12T05:04:51.185Z"><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_44442132-f999-47f4-aed3-096cd18303ef"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>GlY7Y00b9BOaJYgfAXar7s75hkW60lZnzxitOjGsIZI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ObOz5G0BOhVRYgWY8AARJCCc9VoCeml0bZ4OjnXJCDJ1zF3fA/fEuF9Uk3QPjJnKh/N6kqSZzBd+g3KomDwCUDLEsdhFkCuzMcsQWDrAYQX9ql10Vu//xOFUJDthBdhjj6+jHfM58QV5YVELcEGLJINFdQl9DjHde92qPydMj1p9K1/ZKIHs5FOkPXYOHtak2PFeoeIWnmiKJ7Xqx4SPcLL8BpSlBSJSS3F2NwbcvkMUo9rgvxK0SO4mju1USn2dXLDenkuHjuPU6Scyq4dAviKh9RU+223lkjMZmDUpyOJuYb7qTpTGYmh0N+EEEWMZZtgcafXQlsszcIzU0ImNZA==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIC2jCCAcKgAwIBAgIQTUUACXiaaJBMJSnneBv/pzANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBhZGZzLmJsdWUubG9jYWwwHhcNMTgwOTI4MDU1NDIzWhcNMTkwOTI4MDU1NDIzWjApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBhZGZzLmJsdWUubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHM15vlguAI3MtO7foh3kOVpGUS7l0WS0TeOozYBxK40ejdWDY+zDy8w0fbqoMedlQkAd2VZ1Bj9iZdnaUDCCXvcKuKDIXSsTbaJNMfFg9EU6XS2RLb5oXbIbeUBLsigxEtYAgNGjVnop4uoJ/COnmL9+nwSyXxE8dS4RAS1AitvpJY65HtOlPY8d6N98W8mcnfR5gOn1BDmGn+t3ljvjwJv+IEVU7DycWFZ4DNw6DuxsK+6hd2UGM84SNDJ7fnInWnW+pqCI5RObwrw6bDHVEP/mJy/e/IT+zrtmf1QiOY7egCKX9AC4iRSeyyVZZgnDlZjU8VfxvzCy02KuDazmpAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEygwPSWxa2VS5YqWxY1z+hp2UImIKybvhVLiZoc1Zw9r3KF5pjixc0euWdpjWveD6gMNhBlZ56YGwpYnz6XqeQWu2wZNevg0LJvWURKz7ZMqCUCmsYbK2F7qc4igKQ1KDpuPOg5wn1gGd7Xehrj3y8NAppqbMNdfm9FYigeRH2BU7fkiYE+J/kFx2rFaqDg+2OOsi7O5YfsRdSgGbm4WY9bD6aPf1hfiVZE5ohhcjclo/+06XJY52jJOLKFxVcnEaWci8fzWIm1YnXQoIBSPRE39EYe2dqkht7+GBBkejKUC8D89OUyYyg7qKaxJvfs6nmpxpPG9It5sdYddaqgr6A=</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>

  And get redirected to SharePoint. 

  SharePoint does not seem to be happy with this token and redirect you to ADFS to get another one.

  If you look into the token itself, you don't really have any info in it. So assuming that you have the right cert on SharePoint, maybe your problem is your claim rules. You are not sending claims to SharePoint. What are the rules set on the SharePoint relying party trust on ADFS Blue and the rules set on the ADFS Green claim provider trust on ADFS Blue?

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Marked as answer by Alyushin Vladislav Tuesday, October 16, 2018 5:17 AM

  Saturday, October 13, 2018 4:32 PM
• 

  

  0

  Sign in to vote

  

  Monday, October 15, 2018 5:07 AM
• 

  

  0

  Sign in to vote

  I added other claim rule on my Sharepoint RP AD FS Blue and authorization works:
  
  
  

  Monday, October 15, 2018 12:17 PM
• 

  

  0

  Sign in to vote

  So it works now?

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Monday, October 15, 2018 2:35 PM
• 

  

  0

  Sign in to vote

  Yes, thank you so much
  

  Tuesday, October 16, 2018 4:59 AM
• 

  

  0

  Sign in to vote

  Well, you've done all the work :)

  Thanks!

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Tuesday, October 16, 2018 7:03 PM