AD FS 2.0 Event 206: "The Federation Service could not fulfill the token-issuance request"

Question

I am getting a strange error from ADFS 2.0 event Log as follows:

---

"The Federation Service could not fulfill the token-issuance request because the relying party 'https://my-relying-party' is missing a WS-Federation Passive endpoint address.

Relying party: https://my-relying-party

This request failed.

User Action

Use the AD FS 2.0 Management snap-in to configure a WS-Federation Passive endpoint on this relying party."

---

This happens after SAML response is verified successfully by ADFS 2.0 but apparently fails to issue a token for the relying party application.

I configured in ADFS 2.0 both IDP and SP as SAML 2.0 so I don't understand why is WS-Federation endpoint is expected?

Any help will be appreciated.

Answer 1

The integration between your SAML 2.0 SP (ADFSv2) and your RP Application is done via WS-Federation Passive Requester Profile. So you'll need to setup your application to receive the WS-Fed Response and parse it appropriately. You'll also have to configure ADFSv2 to generate this message as well (per the error message you received).

Hope this helps - Ian

Answer 2

Is your web application talking the WS-Federation protocol or the SAML protocol (SAML-P)? If your web application is based on WIF, then you are using WS-Federation. Note that both protocols use SAML tokens.

If your application talks the WS-Federation protocol, then in your AD FS Relying Party Trust you need to set the WS-Federation endpoint(s). If it talks the SAML protocol, you need to set the SAML protocol endpoint(s).

Based on your error message, your application probably talks WS-Federation, therefore you need to set the WS-Federation endpoint.

Answer 3

add ws-federation passive reference manually or in federation file will solve the problem.

Please let me know if you need detail guidance.

Answer 4

You need to add the web application url to the endpoints in the properties of you relying party.