Add Encryption and Signing to a ADFS login site










0















2 Jan 2019 - Added an extra question below



I'm new to ADFS and is developing a site with a ADFS login, I got a basic ADFS login to work but without Encryption and Signing and I need to add that to the login. Do anyone knows how to implement this?
and what kind og certificate can/should i use and how do i get it?



This is my code so far:



Default.aspx







<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
 <title></title>
</head>
<body>
 <form id="form1" runat="server">
 <div>
 <asp:Button runat="server" ID="btnLogout" Text="Log out" OnClick="btnLogout_Click" /><br />
 <asp:Label runat="server" ID="lblInfo"></asp:Label>
 </div>
 </form>
</body>
</html>


Default.aspx.cs



using System;
using System.Threading;
using System.Web;
using System.Web.UI;

public partial class _Default : System.Web.UI.Page

 protected void Page_Load(object sender, EventArgs e)
 
 if (Page.User.Identity.IsAuthenticated)
 
 lblInfo.Text += "<TABLE border="1" Align="Center" CellSpacing="15" CellPadding = "15" >";
 lblInfo.Text += "<TR><TD>";
 lblInfo.Text += "<b>" + "Claim Type" + "</TD><TD>";
 lblInfo.Text += "<b>" + "Claim Value";
 lblInfo.Text += "</B></TD></TR>";

 foreach (var claim in (Thread.CurrentPrincipal.Identity as System.Security.Claims.ClaimsIdentity).Claims)
 
 lblInfo.Text += "<TR><TD>";
 lblInfo.Text += claim.Type + "</TD><TD>";
 lblInfo.Text += claim.Value;
 lblInfo.Text += "</TD></TR>";
 

 lblInfo.Text += "</TABLE>";
 
 

 protected void btnLogout_Click(object sender, EventArgs e)
 
 var ctx = Request.GetOwinContext();
 var authenticationManager = ctx.Authentication;
 authenticationManager.SignOut();



App_Code/RouteConfig.cs



using System.Web.Routing;
using Microsoft.AspNet.FriendlyUrls;

public class RouteConfig

 public static void RegisterRoutes(RouteCollection routes)
 
 var settings = new FriendlyUrlSettings();
 settings.AutoRedirectMode = RedirectMode.Permanent;
 routes.EnableFriendlyUrls(settings);



App_Code/Startup.cs



using Owin;

public partial class Startup

 public void Configuration(IAppBuilder app)
 
 ConfigureAuth(app);



App_Code/StartupAuth.cs



using System.Configuration;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.WsFederation;
using Owin;
using Microsoft.Owin.Extensions;

public partial class Startup

 private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
 private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

 public void ConfigureAuth(IAppBuilder app)
 
 app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

 app.UseCookieAuthentication(new CookieAuthenticationOptions());

 app.UseWsFederationAuthentication(
 new WsFederationAuthenticationOptions
 
 Wtrealm = realm,
 MetadataAddress = adfsMetadata
 );

 app.UseStageMarker(PipelineStage.Authenticate);



Web.config



<?xml version="1.0"?>
<configuration>
 <appSettings>
 <!-- ADFS -->
 <add key="ida:ADFSMetadata" value="https://fs-test.OurServer.me/federationmetadata/2007-06/federationmetadata.xml" />
 <add key="ida:Wtrealm" value="https://MySite" />
 <!-- ADFS -->
 </appSettings>
 <system.web>
 <compilation debug="true" targetFramework="4.5"/>
 <httpRuntime targetFramework="4.5"/>
 <authorization>
 <deny users="?"/>
 <allow users="*"/>
 </authorization>
 <customErrors mode="Off"/>
 </system.web>
 <system.codedom>
 <compilers>
 <compiler language="c#;cs;csharp" extension=".cs"
 type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
 warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
 <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
 type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
 warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=&quot;Web&quot; /optionInfer+"/>
 </compilers>
 </system.codedom>
</configuration>


Update - 2 Jan 2019



Sorry for this late reply
I finally had time to look through all your links, thanks they helped me a lot, but i ran into another problem. I Think i've added Encryption correct but now i'm getting this Error:



ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.



D:www_ADFS_SACCK_TEST_Simpel_med_encrypt_signApp_CodeEncryptedSecurityTokenHandlerEx.cs Line: 51



A lot of sites mentions that it's the thumbprint that causing the problem with some hidden characters at the beginning of the thumbprint, so i've typed it in manually but that didn't helped.



Does anybody know what the problem can be?



I changed some of the code so it now looks like this:



StartupAuth.cs



using System.Configuration;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.WsFederation;
using Owin;
using Microsoft.Owin.Extensions;
using System.Collections.ObjectModel;
using System.IdentityModel.Tokens;
using System.Collections.Generic;
using System.Threading;
using Microsoft.IdentityModel.Protocols;
using System.IdentityModel.Selectors;
using System.Security.Cryptography.X509Certificates;
using System;

public partial class Startup

 private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
 private static string _MetadataAddress = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
 private static string _SignInAsAuthenticationType = "cookies";
 private const string SigningCertThumbprint = "d25xxxxxxxxxxxxxxxxxxxxxxxxxxxxf89";
 //private const string Issuer = "LOCAL AUTHORITY";
 private const string Issuer = "CN = testComp adfs";



 public void ConfigureAuth(IAppBuilder app)
 
 app.UseCookieAuthentication(new CookieAuthenticationOptions
 
 AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
 );

 var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
 audienceRestriction.AllowedAudienceUris.Add(new Uri(realm));

 var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
 issuerRegistry.AddTrustedIssuer(SigningCertThumbprint, Issuer);

 app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions(WsFederationAuthenticationDefaults.AuthenticationType)
 
 Wtrealm = realm,
 MetadataAddress = _MetadataAddress,
 TokenValidationParameters = new TokenValidationParameters
 
 AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
 ,
 SecurityTokenHandlers = new SecurityTokenHandlerCollection
 
 new EncryptedSecurityTokenHandlerEx(new X509CertificateStoreTokenResolver(StoreName.My, StoreLocation.LocalMachine)),
 new SamlSecurityTokenHandlerEx
 
 CertificateValidator = X509CertificateValidator.None,
 Configuration = new SecurityTokenHandlerConfiguration()
 
 AudienceRestriction = audienceRestriction,
 IssuerNameRegistry = issuerRegistry
 
 
 
 );

 app.UseStageMarker(PipelineStage.Authenticate);



I've also added two more classes:



SamlSecurityTokenHandlerEx.cs



 using System.IdentityModel.Tokens;
 using System.IO;
 using System.Security.Claims;
 using System.Xml;

 public class SamlSecurityTokenHandlerEx : SamlSecurityTokenHandler, ISecurityTokenValidator
 
 public override bool CanReadToken(string securityToken)
 
 return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
 

 public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
 out SecurityToken validatedToken)
 
 validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
 return new ClaimsPrincipal(ValidateToken(validatedToken)); ;
 

 public int MaximumTokenSizeInBytes get; set;


EncryptedSecurityTokenHandlerEx.cs



using System;
using System.Collections.Generic;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.IO;
using System.Linq;
using System.Security.Claims;
using System.Web;
using System.Xml;

public class EncryptedSecurityTokenHandlerEx : EncryptedSecurityTokenHandler, ISecurityTokenValidator

 public EncryptedSecurityTokenHandlerEx(SecurityTokenResolver securityTokenResolver)
 
 Configuration = new SecurityTokenHandlerConfiguration
 
 ServiceTokenResolver = securityTokenResolver
 ;
 

 public override bool CanReadToken(string securityToken)
 
 return base.CanReadToken(new XmlTextReader(new StringReader(securityToken)));
 

 public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
 
 validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
 if (ContainingCollection != null)
 
 return new ClaimsPrincipal(ContainingCollection.ValidateToken(validatedToken));
 
 return new ClaimsPrincipal(base.ValidateToken(validatedToken));


public int MaximumTokenSizeInBytes get; set;







adfs







share|improve this question




























    0















    2 Jan 2019 - Added an extra question below



    I'm new to ADFS and is developing a site with a ADFS login, I got a basic ADFS login to work but without Encryption and Signing and I need to add that to the login. Do anyone knows how to implement this?
    and what kind og certificate can/should i use and how do i get it?



    This is my code so far:



    Default.aspx







    <html xmlns="http://www.w3.org/1999/xhtml">
    <head runat="server">
     <title></title>
    </head>
    <body>
     <form id="form1" runat="server">
     <div>
     <asp:Button runat="server" ID="btnLogout" Text="Log out" OnClick="btnLogout_Click" /><br />
     <asp:Label runat="server" ID="lblInfo"></asp:Label>
     </div>
     </form>
    </body>
    </html>


    Default.aspx.cs



    using System;
    using System.Threading;
    using System.Web;
    using System.Web.UI;

    public partial class _Default : System.Web.UI.Page

     protected void Page_Load(object sender, EventArgs e)
     
     if (Page.User.Identity.IsAuthenticated)
     
     lblInfo.Text += "<TABLE border="1" Align="Center" CellSpacing="15" CellPadding = "15" >";
     lblInfo.Text += "<TR><TD>";
     lblInfo.Text += "<b>" + "Claim Type" + "</TD><TD>";
     lblInfo.Text += "<b>" + "Claim Value";
     lblInfo.Text += "</B></TD></TR>";

     foreach (var claim in (Thread.CurrentPrincipal.Identity as System.Security.Claims.ClaimsIdentity).Claims)
     
     lblInfo.Text += "<TR><TD>";
     lblInfo.Text += claim.Type + "</TD><TD>";
     lblInfo.Text += claim.Value;
     lblInfo.Text += "</TD></TR>";
     

     lblInfo.Text += "</TABLE>";
     
     

     protected void btnLogout_Click(object sender, EventArgs e)
     
     var ctx = Request.GetOwinContext();
     var authenticationManager = ctx.Authentication;
     authenticationManager.SignOut();



    App_Code/RouteConfig.cs



    using System.Web.Routing;
    using Microsoft.AspNet.FriendlyUrls;

    public class RouteConfig

     public static void RegisterRoutes(RouteCollection routes)
     
     var settings = new FriendlyUrlSettings();
     settings.AutoRedirectMode = RedirectMode.Permanent;
     routes.EnableFriendlyUrls(settings);



    App_Code/Startup.cs



    using Owin;

    public partial class Startup

     public void Configuration(IAppBuilder app)
     
     ConfigureAuth(app);



    App_Code/StartupAuth.cs



    using System.Configuration;
    using Microsoft.Owin.Security;
    using Microsoft.Owin.Security.Cookies;
    using Microsoft.Owin.Security.WsFederation;
    using Owin;
    using Microsoft.Owin.Extensions;

    public partial class Startup

     private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
     private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

     public void ConfigureAuth(IAppBuilder app)
     
     app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

     app.UseCookieAuthentication(new CookieAuthenticationOptions());

     app.UseWsFederationAuthentication(
     new WsFederationAuthenticationOptions
     
     Wtrealm = realm,
     MetadataAddress = adfsMetadata
     );

     app.UseStageMarker(PipelineStage.Authenticate);



    Web.config



    <?xml version="1.0"?>
    <configuration>
     <appSettings>
     <!-- ADFS -->
     <add key="ida:ADFSMetadata" value="https://fs-test.OurServer.me/federationmetadata/2007-06/federationmetadata.xml" />
     <add key="ida:Wtrealm" value="https://MySite" />
     <!-- ADFS -->
     </appSettings>
     <system.web>
     <compilation debug="true" targetFramework="4.5"/>
     <httpRuntime targetFramework="4.5"/>
     <authorization>
     <deny users="?"/>
     <allow users="*"/>
     </authorization>
     <customErrors mode="Off"/>
     </system.web>
     <system.codedom>
     <compilers>
     <compiler language="c#;cs;csharp" extension=".cs"
     type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
     warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
     <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
     type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
     warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=&quot;Web&quot; /optionInfer+"/>
     </compilers>
     </system.codedom>
    </configuration>


    Update - 2 Jan 2019



    Sorry for this late reply
    I finally had time to look through all your links, thanks they helped me a lot, but i ran into another problem. I Think i've added Encryption correct but now i'm getting this Error:



    ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.



    D:www_ADFS_SACCK_TEST_Simpel_med_encrypt_signApp_CodeEncryptedSecurityTokenHandlerEx.cs Line: 51



    A lot of sites mentions that it's the thumbprint that causing the problem with some hidden characters at the beginning of the thumbprint, so i've typed it in manually but that didn't helped.



    Does anybody know what the problem can be?



    I changed some of the code so it now looks like this:



    StartupAuth.cs



    using System.Configuration;
    using Microsoft.Owin.Security;
    using Microsoft.Owin.Security.Cookies;
    using Microsoft.Owin.Security.WsFederation;
    using Owin;
    using Microsoft.Owin.Extensions;
    using System.Collections.ObjectModel;
    using System.IdentityModel.Tokens;
    using System.Collections.Generic;
    using System.Threading;
    using Microsoft.IdentityModel.Protocols;
    using System.IdentityModel.Selectors;
    using System.Security.Cryptography.X509Certificates;
    using System;

    public partial class Startup

     private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
     private static string _MetadataAddress = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
     private static string _SignInAsAuthenticationType = "cookies";
     private const string SigningCertThumbprint = "d25xxxxxxxxxxxxxxxxxxxxxxxxxxxxf89";
     //private const string Issuer = "LOCAL AUTHORITY";
     private const string Issuer = "CN = testComp adfs";



     public void ConfigureAuth(IAppBuilder app)
     
     app.UseCookieAuthentication(new CookieAuthenticationOptions
     
     AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
     );

     var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
     audienceRestriction.AllowedAudienceUris.Add(new Uri(realm));

     var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
     issuerRegistry.AddTrustedIssuer(SigningCertThumbprint, Issuer);

     app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions(WsFederationAuthenticationDefaults.AuthenticationType)
     
     Wtrealm = realm,
     MetadataAddress = _MetadataAddress,
     TokenValidationParameters = new TokenValidationParameters
     
     AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
     ,
     SecurityTokenHandlers = new SecurityTokenHandlerCollection
     
     new EncryptedSecurityTokenHandlerEx(new X509CertificateStoreTokenResolver(StoreName.My, StoreLocation.LocalMachine)),
     new SamlSecurityTokenHandlerEx
     
     CertificateValidator = X509CertificateValidator.None,
     Configuration = new SecurityTokenHandlerConfiguration()
     
     AudienceRestriction = audienceRestriction,
     IssuerNameRegistry = issuerRegistry
     
     
     
     );

     app.UseStageMarker(PipelineStage.Authenticate);



    I've also added two more classes:



    SamlSecurityTokenHandlerEx.cs



     using System.IdentityModel.Tokens;
     using System.IO;
     using System.Security.Claims;
     using System.Xml;

     public class SamlSecurityTokenHandlerEx : SamlSecurityTokenHandler, ISecurityTokenValidator
     
     public override bool CanReadToken(string securityToken)
     
     return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
     

     public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
     out SecurityToken validatedToken)
     
     validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
     return new ClaimsPrincipal(ValidateToken(validatedToken)); ;
     

     public int MaximumTokenSizeInBytes get; set;


    EncryptedSecurityTokenHandlerEx.cs



    using System;
    using System.Collections.Generic;
    using System.IdentityModel.Selectors;
    using System.IdentityModel.Tokens;
    using System.IO;
    using System.Linq;
    using System.Security.Claims;
    using System.Web;
    using System.Xml;

    public class EncryptedSecurityTokenHandlerEx : EncryptedSecurityTokenHandler, ISecurityTokenValidator

     public EncryptedSecurityTokenHandlerEx(SecurityTokenResolver securityTokenResolver)
     
     Configuration = new SecurityTokenHandlerConfiguration
     
     ServiceTokenResolver = securityTokenResolver
     ;
     

     public override bool CanReadToken(string securityToken)
     
     return base.CanReadToken(new XmlTextReader(new StringReader(securityToken)));
     

     public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
     
     validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
     if (ContainingCollection != null)
     
     return new ClaimsPrincipal(ContainingCollection.ValidateToken(validatedToken));
     
     return new ClaimsPrincipal(base.ValidateToken(validatedToken));


    public int MaximumTokenSizeInBytes get; set;







    adfs







    share|improve this question


























      0












      0








      0








      2 Jan 2019 - Added an extra question below



      I'm new to ADFS and is developing a site with a ADFS login, I got a basic ADFS login to work but without Encryption and Signing and I need to add that to the login. Do anyone knows how to implement this?
      and what kind og certificate can/should i use and how do i get it?



      This is my code so far:



      Default.aspx







      <html xmlns="http://www.w3.org/1999/xhtml">
      <head runat="server">
       <title></title>
      </head>
      <body>
       <form id="form1" runat="server">
       <div>
       <asp:Button runat="server" ID="btnLogout" Text="Log out" OnClick="btnLogout_Click" /><br />
       <asp:Label runat="server" ID="lblInfo"></asp:Label>
       </div>
       </form>
      </body>
      </html>


      Default.aspx.cs



      using System;
      using System.Threading;
      using System.Web;
      using System.Web.UI;

      public partial class _Default : System.Web.UI.Page

       protected void Page_Load(object sender, EventArgs e)
       
       if (Page.User.Identity.IsAuthenticated)
       
       lblInfo.Text += "<TABLE border="1" Align="Center" CellSpacing="15" CellPadding = "15" >";
       lblInfo.Text += "<TR><TD>";
       lblInfo.Text += "<b>" + "Claim Type" + "</TD><TD>";
       lblInfo.Text += "<b>" + "Claim Value";
       lblInfo.Text += "</B></TD></TR>";

       foreach (var claim in (Thread.CurrentPrincipal.Identity as System.Security.Claims.ClaimsIdentity).Claims)
       
       lblInfo.Text += "<TR><TD>";
       lblInfo.Text += claim.Type + "</TD><TD>";
       lblInfo.Text += claim.Value;
       lblInfo.Text += "</TD></TR>";
       

       lblInfo.Text += "</TABLE>";
       
       

       protected void btnLogout_Click(object sender, EventArgs e)
       
       var ctx = Request.GetOwinContext();
       var authenticationManager = ctx.Authentication;
       authenticationManager.SignOut();



      App_Code/RouteConfig.cs



      using System.Web.Routing;
      using Microsoft.AspNet.FriendlyUrls;

      public class RouteConfig

       public static void RegisterRoutes(RouteCollection routes)
       
       var settings = new FriendlyUrlSettings();
       settings.AutoRedirectMode = RedirectMode.Permanent;
       routes.EnableFriendlyUrls(settings);



      App_Code/Startup.cs



      using Owin;

      public partial class Startup

       public void Configuration(IAppBuilder app)
       
       ConfigureAuth(app);



      App_Code/StartupAuth.cs



      using System.Configuration;
      using Microsoft.Owin.Security;
      using Microsoft.Owin.Security.Cookies;
      using Microsoft.Owin.Security.WsFederation;
      using Owin;
      using Microsoft.Owin.Extensions;

      public partial class Startup

       private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
       private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

       public void ConfigureAuth(IAppBuilder app)
       
       app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

       app.UseCookieAuthentication(new CookieAuthenticationOptions());

       app.UseWsFederationAuthentication(
       new WsFederationAuthenticationOptions
       
       Wtrealm = realm,
       MetadataAddress = adfsMetadata
       );

       app.UseStageMarker(PipelineStage.Authenticate);



      Web.config



      <?xml version="1.0"?>
      <configuration>
       <appSettings>
       <!-- ADFS -->
       <add key="ida:ADFSMetadata" value="https://fs-test.OurServer.me/federationmetadata/2007-06/federationmetadata.xml" />
       <add key="ida:Wtrealm" value="https://MySite" />
       <!-- ADFS -->
       </appSettings>
       <system.web>
       <compilation debug="true" targetFramework="4.5"/>
       <httpRuntime targetFramework="4.5"/>
       <authorization>
       <deny users="?"/>
       <allow users="*"/>
       </authorization>
       <customErrors mode="Off"/>
       </system.web>
       <system.codedom>
       <compilers>
       <compiler language="c#;cs;csharp" extension=".cs"
       type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
       warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
       <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
       type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
       warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=&quot;Web&quot; /optionInfer+"/>
       </compilers>
       </system.codedom>
      </configuration>


      Update - 2 Jan 2019



      Sorry for this late reply
      I finally had time to look through all your links, thanks they helped me a lot, but i ran into another problem. I Think i've added Encryption correct but now i'm getting this Error:



      ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.



      D:www_ADFS_SACCK_TEST_Simpel_med_encrypt_signApp_CodeEncryptedSecurityTokenHandlerEx.cs Line: 51



      A lot of sites mentions that it's the thumbprint that causing the problem with some hidden characters at the beginning of the thumbprint, so i've typed it in manually but that didn't helped.



      Does anybody know what the problem can be?



      I changed some of the code so it now looks like this:



      StartupAuth.cs



      using System.Configuration;
      using Microsoft.Owin.Security;
      using Microsoft.Owin.Security.Cookies;
      using Microsoft.Owin.Security.WsFederation;
      using Owin;
      using Microsoft.Owin.Extensions;
      using System.Collections.ObjectModel;
      using System.IdentityModel.Tokens;
      using System.Collections.Generic;
      using System.Threading;
      using Microsoft.IdentityModel.Protocols;
      using System.IdentityModel.Selectors;
      using System.Security.Cryptography.X509Certificates;
      using System;

      public partial class Startup

       private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
       private static string _MetadataAddress = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
       private static string _SignInAsAuthenticationType = "cookies";
       private const string SigningCertThumbprint = "d25xxxxxxxxxxxxxxxxxxxxxxxxxxxxf89";
       //private const string Issuer = "LOCAL AUTHORITY";
       private const string Issuer = "CN = testComp adfs";



       public void ConfigureAuth(IAppBuilder app)
       
       app.UseCookieAuthentication(new CookieAuthenticationOptions
       
       AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
       );

       var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
       audienceRestriction.AllowedAudienceUris.Add(new Uri(realm));

       var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
       issuerRegistry.AddTrustedIssuer(SigningCertThumbprint, Issuer);

       app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions(WsFederationAuthenticationDefaults.AuthenticationType)
       
       Wtrealm = realm,
       MetadataAddress = _MetadataAddress,
       TokenValidationParameters = new TokenValidationParameters
       
       AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
       ,
       SecurityTokenHandlers = new SecurityTokenHandlerCollection
       
       new EncryptedSecurityTokenHandlerEx(new X509CertificateStoreTokenResolver(StoreName.My, StoreLocation.LocalMachine)),
       new SamlSecurityTokenHandlerEx
       
       CertificateValidator = X509CertificateValidator.None,
       Configuration = new SecurityTokenHandlerConfiguration()
       
       AudienceRestriction = audienceRestriction,
       IssuerNameRegistry = issuerRegistry
       
       
       
       );

       app.UseStageMarker(PipelineStage.Authenticate);



      I've also added two more classes:



      SamlSecurityTokenHandlerEx.cs



       using System.IdentityModel.Tokens;
       using System.IO;
       using System.Security.Claims;
       using System.Xml;

       public class SamlSecurityTokenHandlerEx : SamlSecurityTokenHandler, ISecurityTokenValidator
       
       public override bool CanReadToken(string securityToken)
       
       return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
       

       public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
       out SecurityToken validatedToken)
       
       validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
       return new ClaimsPrincipal(ValidateToken(validatedToken)); ;
       

       public int MaximumTokenSizeInBytes get; set;


      EncryptedSecurityTokenHandlerEx.cs



      using System;
      using System.Collections.Generic;
      using System.IdentityModel.Selectors;
      using System.IdentityModel.Tokens;
      using System.IO;
      using System.Linq;
      using System.Security.Claims;
      using System.Web;
      using System.Xml;

      public class EncryptedSecurityTokenHandlerEx : EncryptedSecurityTokenHandler, ISecurityTokenValidator

       public EncryptedSecurityTokenHandlerEx(SecurityTokenResolver securityTokenResolver)
       
       Configuration = new SecurityTokenHandlerConfiguration
       
       ServiceTokenResolver = securityTokenResolver
       ;
       

       public override bool CanReadToken(string securityToken)
       
       return base.CanReadToken(new XmlTextReader(new StringReader(securityToken)));
       

       public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
       
       validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
       if (ContainingCollection != null)
       
       return new ClaimsPrincipal(ContainingCollection.ValidateToken(validatedToken));
       
       return new ClaimsPrincipal(base.ValidateToken(validatedToken));


      public int MaximumTokenSizeInBytes get; set;







      adfs







      share|improve this question
















      2 Jan 2019 - Added an extra question below



      I'm new to ADFS and is developing a site with a ADFS login, I got a basic ADFS login to work but without Encryption and Signing and I need to add that to the login. Do anyone knows how to implement this?
      and what kind og certificate can/should i use and how do i get it?



      This is my code so far:



      Default.aspx







      <html xmlns="http://www.w3.org/1999/xhtml">
      <head runat="server">
       <title></title>
      </head>
      <body>
       <form id="form1" runat="server">
       <div>
       <asp:Button runat="server" ID="btnLogout" Text="Log out" OnClick="btnLogout_Click" /><br />
       <asp:Label runat="server" ID="lblInfo"></asp:Label>
       </div>
       </form>
      </body>
      </html>


      Default.aspx.cs



      using System;
      using System.Threading;
      using System.Web;
      using System.Web.UI;

      public partial class _Default : System.Web.UI.Page

       protected void Page_Load(object sender, EventArgs e)
       
       if (Page.User.Identity.IsAuthenticated)
       
       lblInfo.Text += "<TABLE border="1" Align="Center" CellSpacing="15" CellPadding = "15" >";
       lblInfo.Text += "<TR><TD>";
       lblInfo.Text += "<b>" + "Claim Type" + "</TD><TD>";
       lblInfo.Text += "<b>" + "Claim Value";
       lblInfo.Text += "</B></TD></TR>";

       foreach (var claim in (Thread.CurrentPrincipal.Identity as System.Security.Claims.ClaimsIdentity).Claims)
       
       lblInfo.Text += "<TR><TD>";
       lblInfo.Text += claim.Type + "</TD><TD>";
       lblInfo.Text += claim.Value;
       lblInfo.Text += "</TD></TR>";
       

       lblInfo.Text += "</TABLE>";
       
       

       protected void btnLogout_Click(object sender, EventArgs e)
       
       var ctx = Request.GetOwinContext();
       var authenticationManager = ctx.Authentication;
       authenticationManager.SignOut();



      App_Code/RouteConfig.cs



      using System.Web.Routing;
      using Microsoft.AspNet.FriendlyUrls;

      public class RouteConfig

       public static void RegisterRoutes(RouteCollection routes)
       
       var settings = new FriendlyUrlSettings();
       settings.AutoRedirectMode = RedirectMode.Permanent;
       routes.EnableFriendlyUrls(settings);



      App_Code/Startup.cs



      using Owin;

      public partial class Startup

       public void Configuration(IAppBuilder app)
       
       ConfigureAuth(app);



      App_Code/StartupAuth.cs



      using System.Configuration;
      using Microsoft.Owin.Security;
      using Microsoft.Owin.Security.Cookies;
      using Microsoft.Owin.Security.WsFederation;
      using Owin;
      using Microsoft.Owin.Extensions;

      public partial class Startup

       private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
       private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

       public void ConfigureAuth(IAppBuilder app)
       
       app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

       app.UseCookieAuthentication(new CookieAuthenticationOptions());

       app.UseWsFederationAuthentication(
       new WsFederationAuthenticationOptions
       
       Wtrealm = realm,
       MetadataAddress = adfsMetadata
       );

       app.UseStageMarker(PipelineStage.Authenticate);



      Web.config



      <?xml version="1.0"?>
      <configuration>
       <appSettings>
       <!-- ADFS -->
       <add key="ida:ADFSMetadata" value="https://fs-test.OurServer.me/federationmetadata/2007-06/federationmetadata.xml" />
       <add key="ida:Wtrealm" value="https://MySite" />
       <!-- ADFS -->
       </appSettings>
       <system.web>
       <compilation debug="true" targetFramework="4.5"/>
       <httpRuntime targetFramework="4.5"/>
       <authorization>
       <deny users="?"/>
       <allow users="*"/>
       </authorization>
       <customErrors mode="Off"/>
       </system.web>
       <system.codedom>
       <compilers>
       <compiler language="c#;cs;csharp" extension=".cs"
       type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
       warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
       <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
       type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
       warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=&quot;Web&quot; /optionInfer+"/>
       </compilers>
       </system.codedom>
      </configuration>


      Update - 2 Jan 2019



      Sorry for this late reply
      I finally had time to look through all your links, thanks they helped me a lot, but i ran into another problem. I Think i've added Encryption correct but now i'm getting this Error:



      ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.



      D:www_ADFS_SACCK_TEST_Simpel_med_encrypt_signApp_CodeEncryptedSecurityTokenHandlerEx.cs Line: 51



      A lot of sites mentions that it's the thumbprint that causing the problem with some hidden characters at the beginning of the thumbprint, so i've typed it in manually but that didn't helped.



      Does anybody know what the problem can be?



      I changed some of the code so it now looks like this:



      StartupAuth.cs



      using System.Configuration;
      using Microsoft.Owin.Security;
      using Microsoft.Owin.Security.Cookies;
      using Microsoft.Owin.Security.WsFederation;
      using Owin;
      using Microsoft.Owin.Extensions;
      using System.Collections.ObjectModel;
      using System.IdentityModel.Tokens;
      using System.Collections.Generic;
      using System.Threading;
      using Microsoft.IdentityModel.Protocols;
      using System.IdentityModel.Selectors;
      using System.Security.Cryptography.X509Certificates;
      using System;

      public partial class Startup

       private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
       private static string _MetadataAddress = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
       private static string _SignInAsAuthenticationType = "cookies";
       private const string SigningCertThumbprint = "d25xxxxxxxxxxxxxxxxxxxxxxxxxxxxf89";
       //private const string Issuer = "LOCAL AUTHORITY";
       private const string Issuer = "CN = testComp adfs";



       public void ConfigureAuth(IAppBuilder app)
       
       app.UseCookieAuthentication(new CookieAuthenticationOptions
       
       AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
       );

       var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
       audienceRestriction.AllowedAudienceUris.Add(new Uri(realm));

       var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
       issuerRegistry.AddTrustedIssuer(SigningCertThumbprint, Issuer);

       app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions(WsFederationAuthenticationDefaults.AuthenticationType)
       
       Wtrealm = realm,
       MetadataAddress = _MetadataAddress,
       TokenValidationParameters = new TokenValidationParameters
       
       AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
       ,
       SecurityTokenHandlers = new SecurityTokenHandlerCollection
       
       new EncryptedSecurityTokenHandlerEx(new X509CertificateStoreTokenResolver(StoreName.My, StoreLocation.LocalMachine)),
       new SamlSecurityTokenHandlerEx
       
       CertificateValidator = X509CertificateValidator.None,
       Configuration = new SecurityTokenHandlerConfiguration()
       
       AudienceRestriction = audienceRestriction,
       IssuerNameRegistry = issuerRegistry
       
       
       
       );

       app.UseStageMarker(PipelineStage.Authenticate);



      I've also added two more classes:



      SamlSecurityTokenHandlerEx.cs



       using System.IdentityModel.Tokens;
       using System.IO;
       using System.Security.Claims;
       using System.Xml;

       public class SamlSecurityTokenHandlerEx : SamlSecurityTokenHandler, ISecurityTokenValidator
       
       public override bool CanReadToken(string securityToken)
       
       return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
       

       public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
       out SecurityToken validatedToken)
       
       validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
       return new ClaimsPrincipal(ValidateToken(validatedToken)); ;
       

       public int MaximumTokenSizeInBytes get; set;


      EncryptedSecurityTokenHandlerEx.cs



      using System;
      using System.Collections.Generic;
      using System.IdentityModel.Selectors;
      using System.IdentityModel.Tokens;
      using System.IO;
      using System.Linq;
      using System.Security.Claims;
      using System.Web;
      using System.Xml;

      public class EncryptedSecurityTokenHandlerEx : EncryptedSecurityTokenHandler, ISecurityTokenValidator

       public EncryptedSecurityTokenHandlerEx(SecurityTokenResolver securityTokenResolver)
       
       Configuration = new SecurityTokenHandlerConfiguration
       
       ServiceTokenResolver = securityTokenResolver
       ;
       

       public override bool CanReadToken(string securityToken)
       
       return base.CanReadToken(new XmlTextReader(new StringReader(securityToken)));
       

       public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
       
       validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
       if (ContainingCollection != null)
       
       return new ClaimsPrincipal(ContainingCollection.ValidateToken(validatedToken));
       
       return new ClaimsPrincipal(base.ValidateToken(validatedToken));


      public int MaximumTokenSizeInBytes get; set;







      adfs




      adfs






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 2 at 14:24







      tom S

















      asked Nov 12 '18 at 8:10









      tom Stom S

      11




      11






















          1 Answer
          1






          active

          oldest

          votes


















          0














          On the ADFS side, you just add the certs to the wizard under the signing and encryption tabs.



          On the client, here's a good example.



          For testing you can use a self-signed certificate.



          Going forward, you need to buy one from e.g. GoDaddy or get a free one from "Let's Encrypt".



          Good ADFS development documentation here.



          Sample using the OWIN WS-Fed stack.



          Or an older sample using WIF.



          Note these are for Azure AD but the principles are the same.






          share|improve this answer























          • Hi nzpcmad Thanks,will take a look at the links, hopefully i can get it to work. :)

            – tom S
            Nov 14 '18 at 7:30











          • any body know why im getting this error now ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

            – tom S
            Jan 3 at 7:53











          • Usually, because the thumbprint from your web.config does match the thumbprint of your token signing certificate. Sometimes you get extra characters when copying from the certificate. So copy form the certificate, paste into Notepad and then copy/paste into the web.config (assuming you are using WIF).

            – nzpcmad
            Jan 5 at 5:05











          • To be sure then I checked the thumbprint aginst the ADFS server it is the correct one. I also checked for the hidden characters and removed them, and to be sure then I also tried to type the thumbprint in manuelly which didnt helpend ether.

            – tom S
            Jan 7 at 9:37










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53258063%2fadd-encryption-and-signing-to-a-adfs-login-site%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          On the ADFS side, you just add the certs to the wizard under the signing and encryption tabs.



          On the client, here's a good example.



          For testing you can use a self-signed certificate.



          Going forward, you need to buy one from e.g. GoDaddy or get a free one from "Let's Encrypt".



          Good ADFS development documentation here.



          Sample using the OWIN WS-Fed stack.



          Or an older sample using WIF.



          Note these are for Azure AD but the principles are the same.






          share|improve this answer























          • Hi nzpcmad Thanks,will take a look at the links, hopefully i can get it to work. :)

            – tom S
            Nov 14 '18 at 7:30











          • any body know why im getting this error now ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

            – tom S
            Jan 3 at 7:53











          • Usually, because the thumbprint from your web.config does match the thumbprint of your token signing certificate. Sometimes you get extra characters when copying from the certificate. So copy form the certificate, paste into Notepad and then copy/paste into the web.config (assuming you are using WIF).

            – nzpcmad
            Jan 5 at 5:05











          • To be sure then I checked the thumbprint aginst the ADFS server it is the correct one. I also checked for the hidden characters and removed them, and to be sure then I also tried to type the thumbprint in manuelly which didnt helpend ether.

            – tom S
            Jan 7 at 9:37















          0














          On the ADFS side, you just add the certs to the wizard under the signing and encryption tabs.



          On the client, here's a good example.



          For testing you can use a self-signed certificate.



          Going forward, you need to buy one from e.g. GoDaddy or get a free one from "Let's Encrypt".



          Good ADFS development documentation here.



          Sample using the OWIN WS-Fed stack.



          Or an older sample using WIF.



          Note these are for Azure AD but the principles are the same.






          share|improve this answer























          • Hi nzpcmad Thanks,will take a look at the links, hopefully i can get it to work. :)

            – tom S
            Nov 14 '18 at 7:30











          • any body know why im getting this error now ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

            – tom S
            Jan 3 at 7:53











          • Usually, because the thumbprint from your web.config does match the thumbprint of your token signing certificate. Sometimes you get extra characters when copying from the certificate. So copy form the certificate, paste into Notepad and then copy/paste into the web.config (assuming you are using WIF).

            – nzpcmad
            Jan 5 at 5:05











          • To be sure then I checked the thumbprint aginst the ADFS server it is the correct one. I also checked for the hidden characters and removed them, and to be sure then I also tried to type the thumbprint in manuelly which didnt helpend ether.

            – tom S
            Jan 7 at 9:37













          0












          0








          0







          On the ADFS side, you just add the certs to the wizard under the signing and encryption tabs.



          On the client, here's a good example.



          For testing you can use a self-signed certificate.



          Going forward, you need to buy one from e.g. GoDaddy or get a free one from "Let's Encrypt".



          Good ADFS development documentation here.



          Sample using the OWIN WS-Fed stack.



          Or an older sample using WIF.



          Note these are for Azure AD but the principles are the same.






          share|improve this answer













          On the ADFS side, you just add the certs to the wizard under the signing and encryption tabs.



          On the client, here's a good example.



          For testing you can use a self-signed certificate.



          Going forward, you need to buy one from e.g. GoDaddy or get a free one from "Let's Encrypt".



          Good ADFS development documentation here.



          Sample using the OWIN WS-Fed stack.



          Or an older sample using WIF.



          Note these are for Azure AD but the principles are the same.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 12 '18 at 18:21









          nzpcmadnzpcmad

          28k2892142




          28k2892142












          • Hi nzpcmad Thanks,will take a look at the links, hopefully i can get it to work. :)

            – tom S
            Nov 14 '18 at 7:30











          • any body know why im getting this error now ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

            – tom S
            Jan 3 at 7:53











          • Usually, because the thumbprint from your web.config does match the thumbprint of your token signing certificate. Sometimes you get extra characters when copying from the certificate. So copy form the certificate, paste into Notepad and then copy/paste into the web.config (assuming you are using WIF).

            – nzpcmad
            Jan 5 at 5:05











          • To be sure then I checked the thumbprint aginst the ADFS server it is the correct one. I also checked for the hidden characters and removed them, and to be sure then I also tried to type the thumbprint in manuelly which didnt helpend ether.

            – tom S
            Jan 7 at 9:37

















          • Hi nzpcmad Thanks,will take a look at the links, hopefully i can get it to work. :)

            – tom S
            Nov 14 '18 at 7:30











          • any body know why im getting this error now ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

            – tom S
            Jan 3 at 7:53











          • Usually, because the thumbprint from your web.config does match the thumbprint of your token signing certificate. Sometimes you get extra characters when copying from the certificate. So copy form the certificate, paste into Notepad and then copy/paste into the web.config (assuming you are using WIF).

            – nzpcmad
            Jan 5 at 5:05











          • To be sure then I checked the thumbprint aginst the ADFS server it is the correct one. I also checked for the hidden characters and removed them, and to be sure then I also tried to type the thumbprint in manuelly which didnt helpend ether.

            – tom S
            Jan 7 at 9:37
















          Hi nzpcmad Thanks,will take a look at the links, hopefully i can get it to work. :)

          – tom S
          Nov 14 '18 at 7:30





          Hi nzpcmad Thanks,will take a look at the links, hopefully i can get it to work. :)

          – tom S
          Nov 14 '18 at 7:30













          any body know why im getting this error now ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

          – tom S
          Jan 3 at 7:53





          any body know why im getting this error now ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

          – tom S
          Jan 3 at 7:53













          Usually, because the thumbprint from your web.config does match the thumbprint of your token signing certificate. Sometimes you get extra characters when copying from the certificate. So copy form the certificate, paste into Notepad and then copy/paste into the web.config (assuming you are using WIF).

          – nzpcmad
          Jan 5 at 5:05





          Usually, because the thumbprint from your web.config does match the thumbprint of your token signing certificate. Sometimes you get extra characters when copying from the certificate. So copy form the certificate, paste into Notepad and then copy/paste into the web.config (assuming you are using WIF).

          – nzpcmad
          Jan 5 at 5:05













          To be sure then I checked the thumbprint aginst the ADFS server it is the correct one. I also checked for the hidden characters and removed them, and to be sure then I also tried to type the thumbprint in manuelly which didnt helpend ether.

          – tom S
          Jan 7 at 9:37





          To be sure then I checked the thumbprint aginst the ADFS server it is the correct one. I also checked for the hidden characters and removed them, and to be sure then I also tried to type the thumbprint in manuelly which didnt helpend ether.

          – tom S
          Jan 7 at 9:37

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53258063%2fadd-encryption-and-signing-to-a-adfs-login-site%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          How to how show current date and time by default on contact form 7 in WordPress without taking input from user in datetimepicker

          Image
          0 I have a "Ask for demo" form which has two options, 1. Contact me now and 2. Schedule a demo. If user selects option 1 then current date and time should by displayed on form and if he selects option 2 then A calendar is shown for taking user input. My problem is getting current date and time by default on form. Please help. TIA contact-form-7 share | improve this question asked Nov 12 '18 at 9:01 abhi25 abhi25 14 5 add a comment  |  0 I have a "Ask for demo" form which has two options, 1. Contact me now and 2. Schedule a demo. If user selects option 1 then current date and time should by displayed on form and if he selects option 2 then A calendar is shown for taking user input. My problem is getting current date and time by default on form. Please help. TIA contact-form-7 share | improve this question asked Nov 12 '18 at 9:01 abhi25 abhi25 14 5 add a commen
          Read more

          Syphilis

          Image
          Klassifikation nach ICD-10 A50 Syphilis connata A51 Frühsyphilis A52 Spätsyphilis A53 Sonstige und nicht näher bezeichnete Syphilis ICD-10 online (WHO-Version 2019) Syphilis , [1] auch Lues (venerea) , harter Schanker oder Franzosenkrankheit (maladie française) genannt, ist eine chronische Infektionskrankheit, die zur Gruppe der sexuell übertragbaren Erkrankungen gehört. Der Erreger der Syphilis ist das Bakterium Treponema pallidum ssp. pallidum . Die Syphilis wird hauptsächlich bei sexuellen Handlungen durch Schleimhautkontakt und ausschließlich von Mensch zu Mensch übertragen. Während der Schwangerschaft und bei der Geburt kann eine erkrankte Mutter ihr Kind infizieren ( Syphilis connata ). Das Erscheinungsbild der Krankheit ist vielfältig. Typisch ist ein Beginn mit schmerzlosen Schleimhautgeschwüren und Lymphknotenschwellungen. Bei einem Teil der Infizierten kommt es zu einem chronischen Verlauf, der durch vielfältigen Haut- und Organbefall gekennzeichnet ist. Im Endstadium kom
          Read more

          Darth Vader #20

          Image
          Wiki Characters Creators Teams Volumes Issues Publishers Locations Concepts Things Story Arcs Movies Series Episodes New Comics Forums Gen. Discussion Bug Reporting Delete/Combine Pages Artist Show-Off Off-Topic Contests Battles Fan-Fic RPG Comic Book Preview API Developers Editing & Tools Podcast Quests Community Top Users Activity Feed User Lists Community Promos Archives News Reviews Videos Podcasts Previews Login / Sign Up All Wiki     Arcs     Characters     Companies     Concepts     Issues     Locations     Movies     People     Teams     Things     Volumes     Series     Episodes Editorial     Videos     Articles     Reviews     Features Community     Users Wiki Characters Creators Teams Volumes Issues Publishers Locations Concepts Things Story Arcs Movies Series Episodes New Comics Forums Gen. Discussion Bug Reporting Delete/Combine Pages Artist Show-Off Off-Topic Contests Battles Fan-Fic RPG Comic Book Preview API Developers Editing & Tools Podcast Quests Com
          Read more