Hi, everybody!
I have few questions and few problems regarding ADFS. Hopefully someone will be able to help me.
I have dedicated ADFS server that is configured as federation server farm. For now I have only one. But second ADFS is planned for future.
We are not using ADFS proxy servers. NLB is being performed with F5 device.
I have Verisign SSL certificate that has been imported on ADFS.
We are trying to create SSO with SaaS. We have configured ADFS relationship according to guidelines from the SaaS.
Now the first questions are about topology.
1. Is it ok, that we have only one ADFS in farm?
2. Is it ok, that we don't use ADFS proxy? We are planning to use SaaS from within our company.
If I browse https://<adfsservicename>/adfs/ls/IdpInitiatedSignOn.aspx I get log on form. I can sign in, but when I choose SaaS from drop down list, and press "Go". It says Access denied.
In event log I get:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.AuthorizationFailedException: MSIS7011: Access denied.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
Any ideas where to look further?
MM