locked
Configuring ADFS 2.0 for SAML (SSO) with Blue Jeans - Event ID 684 ADFS Hourly ERROR RRS feed

  • Question

  • Hello,

    I have been configuring ADFS 2.0 for SAML (SSO) for Blue Jeans but am having difficulty authenticating users. I receive an hourly error as follows:

    ------------------------------------------------------------------

    The AD FS Web Agent was unable to update trust information from the Federation Service. The Federation Service Secure Sockets Layer (SSL) server certificate could not be validated. 
    Federation Service URL: https://localhost/adfs/fs/FederationServerService.asmx 

    User Action 
    Verify that the Federation Service SSL server certificate chains to a root certificate that is in the Local Computer Trusted Root Certification Authorities certificate store on the web server. 

    Verify that the SSL certificate is neither expired nor revoked. 

    Verify that the SSL certificate subject matches the host name portion of the Federation Service Uniform Resource Locator (URL).

    ------------------------------------------------------------------

    I have followed a technet article to double check the certs are correct and their paths, also the root chain
    I am able to navigate to the address https://<servername>/adfs/fs/federationserverservice.asmx which displays the webpage

    I am using a self signed cert while I am testing but I don't believe this would make a difference.

    When navigating to the Blue Jeans logon and entering the credentials no access is granted and the logon prompts again.

    Should the federation service address in this error point to the localhost?

    Any help would be much appreciated.

    Thanks

    Friday, March 4, 2016 11:43 AM

All replies

  • Hi,

    Are you sure that you're using AD FS 2.0? Your post mentions the AD FS Web Agent and the URLs concerned are from AD FS 1.x. The AD FS 2.0 binaries need to be downloaded from Microsoft. This link should point you in the right direction as Bluejeans uses SAML 2.0

    I've not used Bluejeans but looking at their support page, create your Relying Party in AD FS 2.0 and point it to the Bluejeans metadata @ http://bluejeans.com/support/saml-metadata.xml .. it requires a NameID Persistent and an e-mail claim.

    Post back if you have any issues.

    Regards,

    Mylo


    http://blog.auth360.net



    • Edited by Mylo Sunday, March 6, 2016 12:19 PM
    Sunday, March 6, 2016 11:50 AM
  • Much appreciated, the site was using the adfs app pool which was stopped. When I started it again though it crashed each time I browsed to it. Have changed the adfsapppool to start with the applicatonpoolidentity and it now stays started.

    However still getting a blank page when browsing to it!

    I receive an event ID, the error references the line of code blue jeans require to be added at line 72 - <useRelayStateForldpinitiatedSignOn enabled="true" />

    The above line of code is inserted in between <microsoft.identityserver.web>

    Event ID 383, ADFS

    ------------------

    The Web request failed because the web.config file is malformed.

    User Action:

    Fix the malformed data in the web.config file.

    Exception details:

    MSIS2008: A configuration error has occurred in section 'microsoft.identityServer.web'.

    Unrecognized element 'useRelayStateForldpinitiatedSignOn'. (C:\inetpub\adfs\ls\web.config line 72)

    I have installed ADFS on server 2012 which is pointed to http://bluejeans.com/support/saml-metadata.xml 

    This has been checked by Blue Jeans support, claims are also specified correctly


    Wednesday, March 9, 2016 11:13 AM
  • Not sure if the web.config file is case sensitive... XML files are in general... But anyhow, doesn't cost much to try...

    So try with:

    useRelayStateForIdpInitiatedSignOn

    And let us know...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 15, 2016 12:36 AM