I am trying to setup a WS Federation with ASPNET Zero and Azure AD. But I getting the following error. Please advise.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '66514eec-ecae-4195-a277'.
I have tried the following reply URLs in Azure and no luck.
https://mywebsite.com/account/ExternalLoginCallback https://mywebsite.com/account/login
Can you please help.
9 Answer(s)
-
1
Hi @sais
Could you share the replyUrl parameter of your request ? You can see it when you click the WS Federation login button on login page in the browsers URL bar.
-
0
Thank you, I tried https://mywebsite.com**/signin-wsfed** as the replyUrl and it worked. Not sure if this is documented somewhere.
-
0
Hi @sais,
Thanks for sharing this. It is in Microsoft's documentation https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-3.1
-
0
Now, I am getting the following error. I am not sure what is happening.
An unhandled exception occurred while processing the request. SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Did not match: validationParameters.ValidAudience: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' or validationParameters.ValidAudiences: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
Stack Query Cookies Headers Routing SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Did not match: validationParameters.ValidAudience: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' or validationParameters.ValidAudiences: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateAudience(IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(Saml2SecurityToken samlToken, string token, TokenValidationParameters validationParameters, out SecurityToken validatedToken) Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(string token, TokenValidationParameters validationParameters, out SecurityToken validatedToken) Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.HandleRemoteAuthenticateAsync()
Show raw exception details Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync() IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Show raw exception details
-
0
Hi,
It seems like Audiance validation is failed. Audiance value must exactly be same like you use in your configuration. Most of the time this happens if there is a "/" at the end of the url.
-
0
Hi, which url?
-
0
Hi,
The one you have configured in your appsettings.json for WsFed.
-
0
Hi, I know it has been a while. We now have a hard requirement to add ws-fed.
.The application is single tenant. We want to disable the individual accounts and self registration and just have our users login via ws-fed.
When I disable self-registration and try to login using ws-fed, I get the following message "UserFriendlyException: Self user registration is disabled. Please contact the system administrator to register." However, there is already an account with the email address in the database, therfore, I should be able to authenticate.
How can this be accomplished?
Please advise.
-
0
Hi @sais
User must be logged in using ADFS for the first time, so user can login successfully in the following attempts. You can enable self-registration and disable Register page manually by removing or commenting its code.
