I am trying setup a sample: a web application uses active directory log-on through thinktecture identity server 2.0.

Both Active Directory and Thinktecture IdentityServer are setup on a same machine.

I configured Thinktecture IdentityServer to use Active Directory Federation Service as identity provider. And Thintecture IdentityServer becomes a replying party trust.

When I request a log-on action from web application, there are two errors which are logged on ADFS:

Because I don't have enough 10 reputations, I will mask address "https://x.x.x.x/idsrv/" to idsrvAddress

First: Event ID: 184

A token request was received for a relying party identified by the key 'idsrvAddress', but the request could not be fulfilled because the key does not identify any known relying party trust. Key: idsrvAddress

This request failed.

User Action If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.

Second: Event ID: 364

Encountered error during federation passive request.

Additional Data

Exception details: Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'idsrvAddress' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.

Please help me what I should do!

Question is old but nobody answered so I decided to share the hint. Microsoft.IdentityServer.Web.InvalidScopeException appeared in my case too, and solution is to double-check ADFS for proper case (upper/lower) while specifying the Relying Party Identifier. This apparently is bug in ADFS 3.0 I am working with.

• Open the AD FS management console
• go to the Relying Party Trusts
• right-click the relying party trust definition, select "Properties"
• List item
• In the dialog presented, select "Identifiers" tab
• Copy the identifier from your Event Viewer error message
• Paste that into "Relying Party Identifier" text-box, click "Add".
  you may need to remove the old identifier, if it appears same, but is written using different case. Dialog prevents adding that, but internally, ADFS apparently compares that using case-sensitive comparison.

The above helped me to get rid of the error. You may, of course, face different issue. :-)

If you are facing the error "Exception details: Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'idsrvAddress' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details."

Please try to sign in from a system which is logged on to the domain.

We faced the same issue when configuring ADFS and WAP (Web Application Proxy) to authenticate users before accessing Outlook on the web.

The problem was that we reconfigured the relying party trusts on the ADFS (remove and then create a new one, not edit) without reconfigured the published web applications on the WAP. Thus, whenever you recreate relying party trust on the ADFS, you have to reconfigure the published web applications on the WAP.

Hope it helps!