Hello,
I am working on a proof of concept using Azure Active Directory Access Control Fig. 4 at The fundamentals of Azure identity management is the model I am shooting for. Since I need manage my own identifies in a deep heritage SaaS solution, I am setting up my own OpenID provider. For that, I am usingDotNotOpenAuth. In my very vanilla, "hello world" example, I built a simple MVC app and registered it in my Access Control Service Namespace as a Relying Party Application and also registered the OpenIdProviderMvc project as-is from DotNetOpenAuth.Samples as my OpenID Providerusing ACS Management Service. Here is the view I registered,
var openIdAddress = new IdentityProviderAddress
{
Address = "http://localhost:56412/openid/Provider",
EndpointType = "SignIn"
};
svc.AddRelatedObject(openId, "IdentityProviderAddresses", openIdAddress);
svc.SaveChanges();which is the OpenID Provider endpoint page expecting to receive OpenID authentication messages to allow users to log into other web sites. This works well, when I launch my relying party application, where I installed the appropriate Nuget packages for DotNetOpenAuth (core, relying party, and their dependencies), the OpenID Providers gets called from the configuration in ACS and log in is successful. However, on redirection to ACS sending to my namespace the OpenID response, (https://....accesscontrol.windows.net/v2/openid?...) I get the error response:
An error occurred while processing your request.
| HTTP Error Code: | 502 |
| Message: | ACS30000: There was an error processing a sign-in response sent to the OpenID endpoint. |
| Inner Message: | ACS30001: Unable to verify the OpenID response signature. |
| Inner Message: | ACS90005: External server error. |
| Trace ID: | 41338728-fd6e-4299-9efb-ad8684976aae |
| Timestamp: | 2015-08-10 19:18:28Z |
I am trying to figure our what I need to do to help ACS be able to verify the OpenID response signature. The response looks good (formatted for legibility)
https://....accesscontrol.windows.net/v2/openid?
context=cH...2
openid.claimed_id=http://localhost:56412/user/bob
openid.identity=http://localhost:56412/user/bob
openid.sig=NU...Rs=
openid.signed=claimed_id,identity,assoc_handle,op_endpoint,return_to,response_nonce,ns.alias3,alias3.mode,alias3.type.alias1,alias3.value.alias1,alias3.type.alias2,alias3.value.alias2,ns.sreg,sreg.email,sreg.fullname
openid.assoc_handle=WWcF!...
openid.alias3.type.alias2=http://axschema.org/namePerson&openid.alias3.value.alias2=bob
openid.ns.sreg=http://openid.net/extensions/sreg/1.1
openid.sreg.email=bob@dotnetopenauth.net
openid.sreg.fullname=bob
Is this something I should be able to handle in the Rule Groups? Is there something I am missing in the security between my OpenId provider and ACS, such as sending some information back relating to signing algorithm, thumbprint, or something?
Thank you
Tom Schulte | Plex Systems