I'm attempting to set up Geneva Server to work with Sharepoint server. I've resolved a number of issues thus far and have modified Error.aspx.cs so that I get the full error messages (.ToString() instead of .Message) and the full stack trace is at the end for information. I went to the event log on the geneva server and found the following error:
I suspect that I've just not put an appropriate end point value but am not sure what to put?

Am I right in thinking that the correct behaviour would be to get redirected to the above endpoint and then back to the relying party?

Original stack trace referred to at the start of this message is below in case useful:

Microsoft.IdentityServer.Shared.WSFederation.RequestFailedException: MSIS7012: The request failed. Contact your administrator for details. ---> Microsoft.IdentityServer.Shared.WSFederation.SingleSignOnTokenException: MSIS7006: The single sign on token is not valid. at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponseCoreWithSsoToken(String singleSignOnToken, WSFederationMessage incomingMessage) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponseCoreWithOnBehalfOf(SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, Boolean isIssuedToken, WSFederationMessage incomingMessage) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, Boolean isIssuedToken, WSFederationMessage incomingMessage) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponse(WSFederationPassiveContext federationPassiveContext, SecurityToken securityToken, Boolean isIssuedToken) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.SignIn(HttpContext context, WSFederationPassiveContext federationPassiveContext, SecurityToken securityToken, Boolean isIssuedToken) at FaultHandlingWSFederationPassiveAuthentication.SignIn(SecurityToken token, Boolean isIssuedToken) at forms_FormsSignIn.SubmitButton_Click(Object sender, EventArgs e) --- End of inner exception stack trace ---

Thanks,

Ibs

The Federation Service could not satisfy the request because the relying party 'http://carwfe01.carillion.local:100/' was missing a WS-Federation Passive endpoint address.

Relying party: http://carwfe01.carillion.local:100/

This request failed.

User Action

Use the "Geneva" Identity Server Administration Snap-In to configure a WS-Federation Passive endpoint on this relying party.

I've gone to Geneva Server and set a WS-Federation Passive end point of 'https://carad01.carillion.local/FederationPassive' but this leads to a new error: 405 - HTTP verb used to access this page is not allowed.

Progress but still stuck. I've now updated the end point to be 'https://carad01.carillion.local/FederationPassive/' (note the addition of the final '/'). Now I get the following error about cookies. I've set all the security settings on internet explorer down to their lowest possible level and set it to trust the geneva server site and I'm still getting the error:

Microsoft.IdentityServer.Shared.WSFederation.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request. at Microsoft.IdentityServer.Shared.WSFederation.EncodedContext..ctor(String encodedValue) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.ParseRelyingPartyInfoFromWCtx(String wctx) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponseForProtocolResponse(WSFederationPassiveContext federationPassiveContext, Boolean isIssuedToken) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponse(WSFederationPassiveContext federationPassiveContext, SecurityToken securityToken, Boolean isIssuedToken) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.SignIn(HttpContext context, WSFederationPassiveContext federationPassiveContext, SecurityToken securityToken, Boolean isIssuedToken) at FaultHandlingWSFederationPassiveAuthentication.SignIn(SecurityToken token, Boolean isIssuedToken)

An error has occurred while processing the request.

Microsoft.IdentityServer.Shared.WSFederation.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.

Are you hitting Geneva Server directly while testing or are you accessing your Web site and getting redirected there? If you hit Geneva Server without being redirected, the query string arguments -- the passive protocol context -- will be missing. The server won't be able to do anything without this data.

---

Regards,

Travis Spencer
http://travisspencer.com

I think the issue is actually that I'm putting something completely incorrect in the end point. I've been putting the address of my geneva server\FederationPassive and I've now seen another example where this is actually set to the url of the relying party (i.e. where the redirection to the geneva server was first initiated and where, in turn, we should be returning once a token has been added to the request). Can someone confirm if this is correct? Also, can you confirm that this address must be on https - I was under the impression that the relying party could be on http and it was only the federationPassive address that had to be on https.

I must say at the moment I'm left generally confused and all the various combinations I've tried have failed so if I can just be certain of what I'm meant to be entering as the end point for the relying party in geneva server that would be a good start!

Thanks,

Ibs

I think the issue is actually that I'm putting something completely incorrect in the end point. I've been putting the address of my geneva server\FederationPassive and I've now seen another example where this is actually set to the url of the relying party

If you're talking about the setting in Genevea Server that I think you are, I've been there and done that :-( To confirm, do this:

1. Open Geneva Server's MMC
2. Select the Relying Parties node
3. Open the properties dialog box of your RP
4. Select the endpoint tab
5. Select WS-Federation endpoint
6. Make sure that it is something like https://localhost/myRP and not something like https://localhost/FederationPassive

Was this the config setting your were talking about?

HTH!

---

Regards,

Travis Spencer
http://travisspencer.com

Yes that's exactly what I'm talking about. I did change the setting exactly as you suggest before making the last post. The only difference is that I had to put https rather than http as the Geneva Server management program pops up an error saying you have to use https. Having done this I'm now getting another error which I'm currently looking into - watch this space...

The subsequent error was related to certificates and is now resolved. The answer above was the resolution to my original problem - that the end point should be the address of the relying party (i.e. the place you want to land up at once authentication has completed).