I've got a WAP and an ADFS farm with a single server using WID.
Users can log into Office 365 successfully, but SSO is not working so they need to login to the adfs login page as well as the Office365 page.
Errors are 364 and 511 as per below. I've read some articles but no concrete solutions for 3.0
How can I troubleshoot this. I did find one mistake in my setup (the host file on the ADFS server was pointing adfs.mydomain.com to the WAP). Could this be the cause - I am unable to test this right now as I can't bring down production. Any other solutions? I need to stop these errors occurring and ensure SSO works.
364:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.InvalidScopeException: 06a7aa66-3aad-e311-80c1-005056983900
at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
---------------------
511 :
The incoming sign-in request is not allowed due to an invalid Federation Service configuration.
Request url:
/adfs/ls?version=1.0&action=signin&realm=urn'%'3AAppProxy'%'3Acom&appRealm=06a7aa66-3aad-e311-80c1-005056983900&returnUrl=https'%'3A'%'2F'%'2Fadfs.mydomain.net'%'2Ffavicon.ico&client-request-id=DEC78966-4DEB-0000-918A-C7DEEB4DCF01
User Action:
Examine the Federation Service configuration and take the following actions:
Verify that the sign-in request has all the required parameters and is formatted correctly.
Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters.
Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.