ID3206: A signin response may only redirect within the current web application: (url) is not allowed

I have seen other posts about this error message, but only when they apply to custom STS. I’m using Geneva beta 2. I add my website as a relying party. I ran fedutil to link my relying party site to the Geneva server and everything seems great. Did a few tweaks to the web.config to allow the token to pass through request validation.

Now as soon as I get the token from the Geneva server, I get this error message.

The identifier for my app looks like this : https://server/app.Namespace
There is one ws-federation passive endpoint: https://server/app.Namespace

I am not encrypting tokens or anything else and haven’t done anything custom at all.

Here is the full stack trace:

[FederationException: ID3206: A signin response may only redirect within the current web application: '/test.Web' is not allowed.]

   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +1064

   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +521

   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80

   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +266

I did some poking around in .NET Reflector and it looks like the thing that triggers this failure is code that looks like this:
if (!ControlUtil.IsAppRelative(returnUrlFromResponse))

So, for whatever reason, it thinks that the redirect URL for my application is absolute instead of relative. Is there any way to fix/debug/troubleshoot this in Geneva Beta 2?


The .NET Addict – http://dotnetaddict.dotnetdevelopersjournal.com

I too experienced a problem with implementing the suggested fix in the Application_BeginRequest event handler. What worked for me was this:(in global.asax)void Application_Error(object sender, EventArgs e)

Ok, so this is a pretty ridiculous bug.If I hit the URL  https://server/myapp/ then the redirect  works. When I hit https://server/myapp (with no trailing slash), then the redirect does NOT work (it thinks I’m using an absolute URI instead of relative).Now of course I’m having an issue where i’m not getting the name back from the Geneva Beta 2 server  – my app  thinks I’m authenticated but my name is null. do I need to manually spit this claim back as a claim rule for the relying  party? I thought it did this automatically for AD claims?

Yeah, I ran  into this issue as well.    More specifically: