Home/ Questions/Q 8672505
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T19:13:20+00:00

Following this post I have created a WCF client which: Uses ADFS to authenticate

  • 0

Following this post I have created a WCF client which:

  1. Uses ADFS to authenticate users against AD.
  2. Provides a SAML2 ticket to the caller.
  3. Uses the supplied SAML2 ticket to call the WCF Service.

This is working great, however the next part of my problem is to extend this to use Azure ACS.

I added the RP to ACS, and changed the STS reference to point to ACS using Add STS Reference in Visual studio.

I have extended the Token.GetToken method, supplying the token into the following method:

public static SecurityToken GetToken(SecurityToken adfsToken, string appliesTo, string idpEndpointAddress, out RequestSecurityTokenResponse rsts)
{
    WS2007HttpBinding binding = new WS2007HttpBinding();
    binding.Security.Message.EstablishSecurityContext = false;
    binding.Security.Mode = SecurityMode.TransportWithMessageCredential;

    WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(idpEndpointAddress));
    trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
    trustChannelFactory.ConfigureChannelFactory();

    // Create issuance issuance and get security token 
    RequestSecurityToken requestToken = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
    requestToken.AppliesTo = new EndpointAddress(appliesTo);
    WSTrustChannel tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannelWithIssuedToken(adfsToken);
    SecurityToken token = tokenClient.Issue(requestToken, out rsts);
    return token;
}

To the following endpoint:

https://test.accesscontrol.windows.net/v2/wstrust/13/issuedtoken-symmetric

But I get the following exception:

Secure channel cannot be opened because security negotiation with the
remote endpoint has failed. This may be due to absent or incorrectly
specified EndpointIdentity in the EndpointAddress used to create the
channel. Please verify the EndpointIdentity specified or implied by
the EndpointAddress correctly identifies the remote endpoint.

With an inner exception of:

ACS10001: An error occurred while processing the SOAP header.

  1. What do I need to configure in ACS to get this working with the token supplied by ADFS?
  2. Do I need to use the token supplied by ACS, or can I use the one supplied by ADFS in the service? (It appears to be working..)
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Take a look at the linked ACS sample, which seems to be doing exactly what you’re asking.

    • 0