I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.
I have searched through the forums but in my case I dont get any more detail on the error and do not know how to proceed and fix this.
My STS is currently on beta and can be reached here: metadata .
If anyone has any suggestions or wants to give it a try please contact me via email and I will open a demo login on my custom provider.
note: The case is different than similar question found here since my inner exception details do not suggest any reason.
UPDATE: check the discussion in this thread for some additional informaton and the payloads I extracted from fiddler.
Thanks in advance,
Constantinos
I finally figured this out with the help of ms support on Azure.
It seems that the "ACS50008: SAML token is invalid" error is quite generic and usually there is more information in an inner exception that does not end up on the error screen. Why this happens is still a mystery for me.
So for anyone that happens to be in my position I nailed two possible reasons for this to happen.
<saml:Conditions NotBefore="...." NotOnOrAfter="....">
If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour.Microsoft.Cloud.AccessControl.Common.Diagnostics.SignInException : ACS20001: An error occurred while processing a WS-Federation sign-in response.Microsoft.Cloud.AccessControl.Common.Diagnostics.ServiceException : ACS50008: SAML token is invalid.Microsoft.IdentityModel.SecurityTokenService.IssuerNameNotSupportedException : Principal with name 'https://login.mydomain.com/' is not a known principal.
In my case the principal name should not contain the forward slash at the end. We changed it from https://login.mydomain.com/ to https://login.mydomain.com and the error went away!