Afternoon all. Stuck testing out WS Fed on my lab instance against our WSFed production domain. We’ve got all the documented steps working. I get my login page on the dashboard, put in my creds, then i get sent to an error 500 page that is at “https://site.domain.com/signin-wsfed” (dummy site name substituted). I have been scratching my head at this one all day and cannot seem to figure it out. Seems like I might be missing either some configuration on the dashboard or IIS itself. I’ve even simplified it to a simple one page dashboard to take out all the extra junk, with no change.
Hi @dcherry88,
Could you share your auth policies and possibly the UD logs?
Enable-UDLogging -level debug -filepath %somepath%
The log is too large it appears to attach as code, and work policy prevents me from a place like pastebin.
Here is the UD code for the page.
$auth = @()
$auth += new-UDAuthenticationMethod -MetadataAddress 'https://sts.domain.org/federationmetadata/2007-06/federationmetadata.xml' -Wtrealm 'https://wfa.domain.com'
$LoginPage = New-UDLoginPage -AuthenticationMethod $auth
$page = New-UDPage -Name 'testpage' -Content {
New-UDParagraph -Text "Stuff"
}
Enable-UDLogging -FilePath C:\inetpub\WFAPortal\udlog.log
$dashboard = New-UDDashboard -LoginPage $LoginPage -Title "Automation Portal" -Pages $page
Start-UDDashboard -Wait -AllowHttpForLogin -Dashboard $dashboard -adminmode
I did find this in the log right after attempting login. My googling did not yield much info.
10:04:35 [Info] Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler WsFederation was not authenticated. Failure message: Not authenticated
10:04:35 [Info] Microsoft.AspNetCore.Authorization.DefaultAuthorizationService Authorization failed.
10:04:35 [Info] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
as well as this
10:04:45 [Error] Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler Exception occurred while processing message.
10:04:45 [Info] Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler Error from RemoteAuthentication: IDX10214: Audience validation failed. Audiences: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Did not match: validationParameters.ValidAudience: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' or validationParameters.ValidAudiences: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'..
10:04:45 [Error] Microsoft.AspNetCore.Server.Kestrel Connection id "0HLVD2V53SJL6", Request id "0HLVD2V53SJL6:00000006": An unhandled exception was thrown by the application.I just realized this was never properly tagged for the Universal Dashboard Help topics. If a mod is able to flag it, i would appreciate it for visibility.
Done. Can you also share some of your WS Fed settings? The fact that this is being logged makes me wonder if there is some sort of mismatch:
10:04:45 [Info] Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler Error from RemoteAuthentication: IDX10214: Audience validation failed. Audiences:
I don’t have direct access to the federated settings. Is there specific page i should get from my technical contact? We utilized the documentation page for configuration.
I’d mostly just be curious of the info in the screenshots here: https://docs.universaldashboard.io/security/authentication/ws-federation
I just know that WS-Fed is super picky and I had issues with a missing / that prevented it from working.
Here are the pics I got. My test site doesn’t live on any special port assignemtns, just straight 443 so we didn’t specify that.
I kind of let this drop of my radar due to other important things, but I am still attempting to get this to work. If there are plans for better integration in the Powershell Universal, I’m willing to wait it out I suppose.
We are planning for better integration in PSU. I can get the UD code ported into for 1.2 (out next week) and then we can go from there. It will be much easier to debug if we use PSU. After we have the basics in, i"m happy to jump on a call and see if we can get this figured out.
That sounds fine with me. I can continue on other work in the meantime.
I just got this working for PSU 1.2. I’ve also introduced some enhanced logging to provide additional information when the WS-Fed configuration isn’t quite right. It’s extremely picky when it comes to URLs and stuff.
I’m excited to try out 1.2 then! 
1 Like
Hey Adam, I’m finally revisiting this since you are now well past 1.2. I was looking over the docs page on WS-Fed, and i’ve set the application.json settings, but i’m not sure I’m following where the code-snippet on the docs page comes into play toward the bottom. Should this go into the Authentication script on the Security section?