April 23, 2018

SharePoint: Yet another reason for ‘The issuer of the token is not a trusted issuer’

Problem

Was creating custom STS, and no matter what I did, I always got the very common ‘The issuer of the token is not a trusted issuer’ error after successfully authenticating and getting redirected back to SharePoint.

Full error:

Application error when access /sites/somesite/_layouts/15/Authenticate.aspx, Error=The issuer of the token is not a trusted issuer. 
  at Microsoft.SharePoint.IdentityModel.SPLocalIssuerNameRegistry.GetIssuerName(SecurityToken securityToken, String requestedIssuerName)   
  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)   
  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)   
  at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)   
  at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)   
  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)   
  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   
  at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)   
  at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Solution

Or one of the many solutions to this generic error was to redirect users to correct address in SharePoint after authentication. In my code, the scope.ReplyToAddress ended up being something like

/sites/somesite/_layouts/15/Authenticate.aspx?Source=/sites/somesite.

which was obviously wrong, as replies need to go the /_trust/, so instead using

/_trust/default.aspx

as reply address fixed the issue.

And, when we’re talking of SharePoint, it doesn’t automatically include the wreply parameter in authentication flow, so enable that in your Trusted Identity Token Issuer properties like this:

$ap = Get-SPTrustedIdentityTokenIssuer -Identity "STS-Dev"
$ap.UseWReplyParameter=$true
$ap.Update()

So finally in your custom STS GetScope method, you can just do:

scope.ReplyToAddress = request.ReplyTo;

No comments:

Post a Comment