ADFS 3.0 and Azure

I have installed a load balancing set of VM's both ADFS 3.0 and Web Proxy in the Azure cloud.  I have an existing virtual VPN gateway back to my infrastructure running.  Everything runs fine and I can hit the metadata.xml file from any browser internally and externally.  When I try to  add the metadata.xml file to third-party applications they error out about authentication or error opening connection.  I figure if I can hit the metadata.xml file from a browser these applications should hit them.  Any suggestions?  Thanks
gisi2100Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
First off, the 3rd party apps should reach your AD FS server's metadata URL e.g. https://adfs1.contoso.com/federationmetadata/2007-06/federationmetadata.xml btu failed as it is not established with relying party trust yet. See MS test lab use case
5. To configure claimapp to work with your federation server, do the following:
Run FedUtil.exe, which is located in C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5.

Set the application configuration location to C:\inetput\claimapp\web.config and set the application URI to the URL for your site, https://webserv1.contoso.com /claimapp/. Click Next.

Select Use an existing STS and browse to your AD FS server's metadata URL https://adfs1.contoso.com/federationmetadata/2007-06/federationmetadata.xml. Click Next.

Select Disable certificate chain validation, and then click Next.

Select No encryption, and then click Next. On the Offered claims page, click Next.

Select the check box next to Schedule a task to perform daily WS-Federation metadata updates. Click Finish.

Your sample application is now configured. If you test the application URL https://webserv1.contoso.com/claimapp, it should redirect you to your federation server. The federation server should display an error page because you have not yet configured the relying party trust. In other words, you have not secured this test application by AD FS.

You must now secure your sample application that runs on your web server with AD FS. You can do this by adding a relying party trust on your federation server (ADFS1).
https://technet.microsoft.com/en-us/library/dn280939.aspx

Probably is to follow on to "Create a relying party trust on your federation server" and checking a valid SSL certificate in the computer certificate store for third party certificate should contain the name of their web server, and in the example above it (claimapps - "3rd party") has SSL cert CN map and bind to  webserv1.contoso.com.
gisi2100Author Commented:
Are you saying download their SSL cert from the third-party vendor and add it to Third Party Root Cert Auth?
gisi2100Author Commented:
Update on Error

details = Unable to register idp
Error in registering Idp for account id
Error in parasing Idp metadata form url "https://<adfs-server>/federationmetadata/2007-06/federationmetadata.xml"
Exception: peer not authenticated
btanExec ConsultantCommented:
Trying to get your picture of setup...

I meant trust relationship must be established btw ADFS as the Identity server, Azure ACS as federation broker. Hence  Federation metadata address of Azure need to be used and added as trusted relying party. Likewise Azure ACS need the Federation metadata address of ADFS.

Azure ACS - e.g. https://[namespace].accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml
ADFS - e.g. https://[server name].cloudapp.net/FederationMetadata/2007-06/FederationMetadata.xml

Ref - http://www.ben-morris.com/set-up-a-federated-identity-provider-on-azure-using-active-directory-and-adfs-2-0/

Thereafter you need to create claim rules e.g. configured the ADFS server to send the correct claims we have to ensure that Azure ACS passes them through to any application.

Then the Apps (assume web app) can use federated login by be registering as a relying party application in Azure. And to link the Apps up to Azure ACS you will need the management key from your ACS instance. This can be collected from the Azure ACS Management Portal. The Apps is linked up to Azure ACS using that management key from your ACS instance. Thereafter the Apps will has its config file (like web.config) configured...

Just to understand the setup as I may miss out your use case...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cloud Services

From novice to tech pro — start learning today.