SharePoint 2010 Trusted Identity Token Issuer Error
I was setting up SharePoint to use Federated Authentication using Azure Access Control Service (ACS) when it ran into an error. After checking the SharePoint logs I ran into the following lines:
07/15/2011 10:23:36.54 w3wp.exe (0×1670) 0x0C60 SharePoint Foundation Claims Authentication eu2n Monitorable Trusted login provider ‘Public Account’ is not sending configured input identity claim type ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’07/15/2011 10:23:36.54 w3wp.exe (0×1670) 0x0C60 SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope (SPSecurityTokenService.GetTokenLifetime()). Execution Time=125,240686737495
07/15/2011 10:23:36.56 w3wp.exe (0×1670) 0x0C60 SharePoint Foundation Claims Authentication fo1t Monitorable SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm. at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest() at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityT…
07/15/2011 10:23:36.56* w3wp.exe (0×1670) 0x0C60 SharePoint Foundation Claims Authentication fo1t Monitorable …oken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)
Also the event viewer returned the following error:
Log Name: ApplicationSource: Microsoft-SharePoint Products-SharePoint Foundation
Date: 15-7-2011 10:23:36
Event ID: 8306
Task Category: Claims Authentication
Level: Error
Keywords:
User: DOMAIN\user
Computer: sharepoint.domain.local
Description:
An exception occurred when trying to issue security token: The trusted login provider did not supply a token accepted by this farm..
Quite obviously when I select Windows Live ID it doesn’t return the expected type of claim; namely http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
Solution
In Azure ACS you can set what type of data is retrieved and also what type it returns. The Windows Live ID Identity Provider doesn’t support email address as a claim type, however you can map the only available input claim type to any other type that you use to validated the incoming claim in SharePoint.
My SharePoint environment is setup to allow validation through emailaddress. I’ll have to map the ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier’ claim type to the ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’ claim type as shown below.
- Navigate to your Azure ACS URL (https://<ServiceNamespace>.accesscontrol.windows.net/v2/mgmt/web)
- Click Rule groups
- Click the Rule group that is used by your SharePoint environment
- Click on the only entry with Windows Live ID as Claim Issuer
- Check Select Type in the Then section and select the proper claim type (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) that SharePoint is expecting
- Click Save and check the results
Now try to log in to your SharePoint environment with the Windows Live ID and it should work flawlessly.
One thing to note is that the login name is an odd string of characters instead of a nicely structured email address. Unfortunately there is no way of getting a nice looking login name using Windows Live ID as there is no other option than returning the nameidentifier. This seems kind of odd since it’s a Microsoft product and the most restricted Identity provider is also from Microsoft. I hope that Microsoft will add other options soon.
