Friday, October 14, 2016

Windows 2016 ADFS 4.0 OpenID connector does not work with custom claims provider

Default install custom claims provider with ADFS 4.0 that OpenId client report error:
 MSIS9642: The request cannot be completed because an id token 
is required but the server was unable to construct an id token 
for the current user.



To fix this issue:



The root cause of MSIS9642 is that the new OpenID Connect Application Group features in ADFS 2016 need to issue an access token to your application. This token must include the users identity. In order to issue the token the subsystem must understand which claim in the inbound claims is used to uniquely identify the user.



A new property called AnchorClaimType has been added to the Claim Provider Trust model.



When ADFS is first installed it registers a built in Claim Provider Trust for AD AUTHORITY and sets the value for AnchorClaimType to



http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname



You can see this by using the powershell command get-adfsclaimsprovidertrust.



This is why OpenID works for when authenticating against Active Directory.







When you create a new Claim Provider Trust the system does not set an AnchorClaimType. The OpenID system can't issue a token because it does not know which inbound claim constitutes the unique user identity. This is why OpenID does not work when authenticating against an external Claim Provider trust.



In order to resolve this problem you need to take a few actions:



a) Verify that you are running Windows Server 2016 RTM Unfortunately the powershell attribute to set AnchorClaimType does not exist in the CTP, and the property cannot be set using the UI.



b) Choose a claim from the inbound token that represents the users identity and identify the claim type. In our case we were federating with an Azure Active Directory and chose name, and the type is foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name



c) Set the AnchorTypeClaim for the Claim Provider Trust to the type selected by using powershell



set-adfsclaimsprovidertrust -targetidentifier identifier -AnchorClaimType  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name



(get identifier from powershell get-adfsclaimsprovidertrust)



set-adfsclaimsprovidertrust -targetidentifier http://idqidp.domain.com  -AnchorClaimType  http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname




Refrence: 


http://stackoverflow.com/questions/35295260/adfs-openid-connect-email-claim-and-external-adfs



















Posted by



at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)