WS-Federation with Dynamics 365 Online #1802
Description
- [ X] I read and understood how to enable logging
Hi,
I have a working implementation of IdentityServer, already integrated with a website using AuthorizationCode flow. I do also need to federate a Dynamics 365 Online with my IdentityServer.
I have the following configurations.
On the Dynamics side:
$dom = "xxx.org”
$brandname = "xxx"
$issuerUri = "https://xxx"
$passiveLogonUri = "xxx/core/wsfed"
$activeLogonUri= "xxx/core/login"
$meta = "xxx/core/wsfed/metadata"
$cert = "MIxxxx"
Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $brandname -Authentication Federated -ActiveLogOnUri $activeLogonUri -IssuerUri $issuerUri -PassiveLogOnUri $passiveLogonUri -MetadataExchangeUri $meta -LogOffUri $passiveLogonUri -SigningCertificate $cert -PreferredAuthenticationProtocol WsFed
On the IdentityServer side:
Realm = "urn:federation:MicrosoftOnline",
Name = "CRM Dynamics Dev",
Enabled = true,
ReplyUrl ="https://xxx.dynamics.com", // have tried https://login.microsoftonline.com/login.srf also
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion", // have tried urn:oasis:names:tc:SAML:1.0:assertion also
But everytime I tried the login, once the user is successfully authenticate, the IdSrv redirected back, but I just keep on getting the following error on the browser:
"Intente esta acción de nuevo. Si el problema persiste, consulte la Comunidad Microsoft Dynamics 365 para obtener soluciones o póngase en contacto con el administrador de Microsoft Dynamics 365 de su organización. En última instancia, puede ponerse en contacto con el Soporte técnico de Microsoft."
On the URL we can see the following error code: https://xxx.dynamics.com/_common/error/errorhandler.aspx?BackUri=https%3a%2f%2fxxx%2fcore%2fwsfed%3fclient-request-id%3d3467526b-74b4-4a1d-a359-1b3722f0b382
(...) &ErrorCode=&Parm0=%0d%0a%0d%0aDetalles%20del%20error%3a%20Invalid%20URI%3a%20The%20hostname%20could%20not%20be%20parsed.&RequestUri=%2fdefault.aspx&user_lcid=3082
By the way, when I tried using ReplyUrl ="https://login.microsoftonline.com/login.srf" with SAML1.1, the error was:
AADSTS90019: The SAML 1.1 Assertion contains no ImmutableID of the user.
and with SAML2, the error was:
AADSTS50008: Cannot read SecurityToken. Expected element is (Assertion, urn:oasis:names:tc:SAML:1.0:assertion) the actual element is (Assertion, urn:oasis:names:tc:SAML:2.0:assertion
I was unable to find any working example anywhere online. Could anyone please provide any hint on how to procede? Many thanks in advance.
Regards.
Relevant parts of the log file
There isn't any exception on the IdSrv log side.
2017-11-27 10:15:28.515 +01:00 [Information] {
"Category": "Endpoints",
"Name": "WS-Federation endpoint success",
"EventType": "Success",
"Id": 50001,
"Details": {
"EndpointName": "wsfederation",
"Operation": "signin",
"Realm": "urn:federation:MicrosoftOnline",
"Subject": "xxxxx",
"Url": "https://xxxxx/core/wsfed?client-request-id=3467526b-74b4-4a1d-a359-1b3722f0b382&username=xxx%40xxx&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=LoginOptions%3D3%26estsredirect%3d2%26estsrequest%3drQIIAaVSv2_TQBS2m7QqUYYKJFQJISFEsiD_PDtnR4ogakgaFLuKSTDJdvZdEttxHF0uJcnIwMSAxNYRmDoCExL_QKfO_AWIAbUbI1YEnQDxQ7on3fve-957eu_LceXCiLHprCxJPo0DH8WYHIrpVxPxcoJSZCb6SSzRy7mdyBlq79j1-6961-DNs7dPjvm9C-44mWNKcECJzxL6kwINqTpnI-d7itScYLIQ0Wy6OOX5Tzz_cSPvzuoEE4pYkEyOMucbU1p5PBtcQEUaV9btCgAV1EH6fjdwGi7S-d8RMBmg-ZitpyrS5X-Q04SEDgNcKZUUxdN9VVCQTgQNISgYOkAC9JEHIcQe1M3iJJn4pLLnWO6DdAPi2hVLoKRBAGXDNGQADFM1xH6jqVgrJ7AabXZQc2I7kGW75kQttynbnS7rufXIcvtja9VdWrWe3g-j1HBkraqs3-kCeynLB52HYcu9t7DDNrNW0aoXtlU7HI2suD56k7llYgg8H-iC4hmyoEEFC-YAmIJBPNOTkUlUIJ9mc5-zeTlT3t7O7XC73A3ua5Z_uZkK5OnVKx-882P76PWLL_t3Te5kU2otVI969jB5pNBaOz39baWkHgZdaoeBG_bqS5UF-8MaVki1AsrK8638yRZ3tsW9v_SM_2NxlTUN_Fpgd35gneTfT_oN0&cbcxt=&mkt=&lc="
},
"Context": {
"ActivityId": "8dd637e1-65a8-4f39-b404-98a9d756cc59",
"TimeStamp": "2017-11-27T09:15:28.5144126+00:00",
"ProcessId": 3312,
"MachineName": "xxx",
"RemoteIpAddress": "xxx",
"SubjectId": "xxx"
}
}