![\"Smile\"](\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile5.png\")
<\/p>\nWell, I\u2019ve basically wrote most of the post already in the extra-long title! <\/p>\n
The ASP.NET project templates in VS2013 for multiple organizations apps contain a design choice which appears to be causing grief to many developers. In this post I am going to describe the issue (and show you how to make it a non-issue) \u2013 for the longer term I guess that the default behavior might have to be changed <\/p>\n
The issue is easily explained. If you follow this blog, you already know that the ASP.NET project creation in VS2013 offers you the chance of configuring projects for various authentication styles for business apps.
One of the available templates generates one application meant to be consumed by multiple organizations: if you like buzzwords, that\u2019s what you\u2019d call a SaaS app or a multi-tenant app.<\/p>\n
Those apps are meant to accept users from multiple organizations, and more precisely from multiple Windows Azure AD tenants. The template code contains logic for onboarding new organizations: it boils down to triggering the consent flow which allows a the admin of a prospective customer to instantly grant to the application access to his\/her own tenant. The application template provides a database which is used to maintain the list of organizations that have been onboarded; such database is used at sign in time to establish if the incoming user belongs to one of the onboarded tenants. The template contains logic for processing messages about successful onboardings by adding the corresponding organization in the database.<\/p>\n
Here there\u2019s the thing that is causing the issue for some of you: at creation time, that database is empty<\/em>. <\/p>\n Technically, when you create a multiple organizations app entry in Windows Azure AD you are doing two operations at once: creating the Application object which describes the app, and consenting for that app to use your directory (e.g. creating a service principal for it in your directory). For a deep dive on the application model, see here<\/a>. Regardless of the reason, this creates a problem for the ones among you who follow this rather natural sequence:<\/p>\n Description: <\/b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Stack Trace:<\/b> <\/p>\n <\/code><\/p>\n That is basically telling you that your tenant has no entry in the local database, hence you are not supposed to access the application.<\/p>\n The solution is super straightforward: you just need to use the template logic itself to sign up your own tenant. Click on the \u201cSign up for this application\u201d link on the top bar. You\u2019ll get to the following page:<\/p>\n Hit Sign Up. Authenticate as one admin of your development tenant. You\u2019ll land on the following page:<\/p>\n Now, this would be a good place for warning you about a small issue\u2026 if you are on Windows 8.1 & IE11, chances are that hitting \u201cgrant access\u201d will trigger the following JavaScript error:<\/p>\n The portal guys are going to fix this issue soon, but in the meanwhile you can work around this by adding this page in the Compatibility View list of IE11. Hit Alt+T, select Compatibility View Settings, and click the Add button to add windowsazure.com in the compatibility view list. The page will reload and you\u2019ll be all set.<\/p>\n<\/blockquote>\n Hit \u201cgrant access\u201d. You\u2019ll be redirected back to your app:<\/p>\n That\u2019s it. Your tenant is now in the DB and you can sign in:<\/p>\n![\"image\"](\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image31.png\" "\\"image\\"")
<\/a><\/p>\n
However, the VS template does NOT reflect the fact that your app is automatically provisioned in your own tenant. There is a reason for that: your application might call for some extra provisioning operations every time you onboard a new customer organization, and pre-provisioning a tenant in the DB would create an odd situation as your extra provisioning logic would have never a chance to run. <\/p>\n\n
<\/a><\/p>\n\n
\n
Server Error in ‘\/’ Application. <\/h3>\n
\n
<\/h3>\nWIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘https:\/\/sts.windows.net\/6133e43d-b70d-40ca-87c0-f16993f99070\/’.<\/i><\/h4>\n
Exception Details: <\/b>System.IdentityModel.Tokens.SecurityTokenValidationException: WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘https:\/\/sts.windows.net\/6133e43d-b70d-40ca-87c0-f16993f99070\/’.
Source Error:<\/b> <\/p>\nAn unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.<\/code> <\/p>\n<\/p>\n[SecurityTokenValidationException: WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https:\/\/sts.windows.net\/6133e43d-b70d-40ca-87c0-f16993f99070\/'.]\r\n System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token) +867\r\n System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +73\r\n System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +299\r\n System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +917\r\n System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +464\r\n System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136\r\n System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69\r\n<\/pre>\n
\nVersion Information:<\/b> Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.33440 <\/p><\/blockquote>\nThe Solution<\/h2>\n
<\/a><\/p>\n<\/a><\/p>\n\n
<\/a><\/p>\n<\/a><\/p>\n