I find myself at somewhat of an impass at the moment. I have an ASP.Net 4.0 app as my RP and a Passive STS based on the sample built by FedUtil, all very simple stuff.
When I browse to my app I'm redirected to my STS, I can then log on and am sent back to my app, where I'm faced with this error:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
Easy to fix, I hear you say. My web config has this section
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="50CAC702313DBD2F86797B2766F2AAE675AF8320" name="PassiveSTS" />
</trustedIssuers>
</issuerNameRegistry>
That is 100% certian the thumbprint of the cert in the STS (copy and pasted from the certificate MMC). So I look a bit deeper create my self a custom IssuerNameRegistry, that does nothing more than provide me a place to put breakpoints, so I commented out the above and added
<issuerNameRegistry type="GT.Sateon.Web.SimpleIssuerRegistery" >
<trustedIssuers>
<add thumbprint="50CAC702313DBD2F86797B2766F2AAE675AF8320" name="PassiveSTS" />
</trustedIssuers>
</issuerNameRegistry>
And the Class is
public class SimpleIssuerRegistery : Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry
{
public SimpleIssuerRegistery(XmlNodeList customConfiguration)
: base(customConfiguration)
{}
public override string GetIssuerName(System.IdentityModel.Tokens.SecurityToken securityToken)
{
var ret = base.GetIssuerName(securityToken) ;
return ret ;
}
public override string GetIssuerName(System.IdentityModel.Tokens.SecurityToken securityToken, string requestedIssuerName)
{
var ret = base.GetIssuerName(securityToken, requestedIssuerName);
return ret;
}
}
Simple stuff. The kicker is this works!?! no idea what's different here. So I started poking arround in side ConfigurationBasedIssuerNameRegistry and end up debugging in here
public override string GetIssuerName(SecurityToken securityToken)
{
if (securityToken == null)
{
throw DiagnosticUtil.ExceptionUtil.ThrowHelperArgumentNull("securityToken");
}
X509SecurityToken token = securityToken as X509SecurityToken;
if (token != null)
{
string thumbprint = token.Certificate.Thumbprint;
if (this._configuredTrustedIssuers.ContainsKey(thumbprint)) //Breakpoint here
{
return this._configuredTrustedIssuers[thumbprint];
}
}
return null;
}
If I open up the immediate window and execute a few commands
this
{Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry}
base {Microsoft.IdentityModel.Tokens.IssuerNameRegistry}: {Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry}
_configuredTrustedIssuers: Count = 1
ConfiguredTrustedIssuers: Count = 1
this._configuredTrustedIssuers.Keys
Count = 1
[0]: "50CAC702313DBD2F86797B2766F2AAE675AF8320"
this._configuredTrustedIssuers["50CAC702313DBD2F86797B2766F2AAE675AF8320"]
'this._configuredTrustedIssuers["50CAC702313DBD2F86797B2766F2AAE675AF8320"]' threw an exception of type 'System.Collections.Generic.KeyNotFoundException'
base {System.SystemException}: {"The given key was not present in the dictionary."}
So at this point I'm really stuck, anyone got any ideas?!? I'm all out!
Cheers,
Stephen.