好的...这一切都是在我们的 Office 365 设置期间开始的。根据 Microsoft 的说法,您必须从 Exchange 中删除您的本地联合信任,验证域,然后将其添加回来……否则在验证域名时您会收到一条模糊的错误消息。
所以我这样做了……除了现在联邦信任被打破了。我从“Test-FederationTrust -Verbose”收到以下消息:
VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Token Issuer Uri from Federation Metadata:
urn:federation:MicrosoftOnline.
VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Token Issuer Certificate from Federation Metadata:
<snip>.
VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Token Issuer Previous Certificate from Federation
Metadata: <snip>.
VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Token Issuer End Point from Federation Metadata:
https://login.microsoftonline.com/extSTS.srf.
VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Web Requestor Redirect End Point from Federation Metadata:
https://login.microsoftonline.com/login.srf.
VERBOSE: …我已经使用 ADFS3 实现了 SSO。我有一个用于注销的注销按钮,它在我的 ws-federation 被动端点上运行良好。在注销时,我将用户重定向到 logout.aspx 页面,并在那里我在页面加载时编写了代码
WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;
SignOutRequestMessage signOutRequestMessage = new SignOutRequestMessage(new Uri(authModule.Issuer), authModule.Realm);
String queryString = signOutRequestMessage.WriteQueryString();
Response.Redirect(queryString);
其中一个应用程序使用 SAML,因此我创建了一个 SAML 断言消费者端点。所以当我打开这个应用程序并点击注销时它会抛出一个错误,当我查看 ADFS 的事件日志时,我看到
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSamlLogoutResponse(SamlContext samlContext, Boolean partialLogout, Boolean& logoutComplete)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.PipelineInitiatedSignout(WrappedHttpListenerContext …我尝试使用 Okta 设置 AAD,发现当用户访问 App Embed 链接并将其 SAML 响应发布到https://login.microsoftonline.com/login.srf时,他们会收到无用的错误:
AADSTS50107: Requested federation realm object 'http://okta.com/..............' does not exist
我已经设置了一个外部身份提供商。如何让它识别我的域名?