ADFS Federation Authentication does not return token and does not save cookie

We use WsFederation Authentication with an ADFS server. Most applications that we wrote work with the code below (excluded the debugging code of course) but my application just doesn't want to work.

I get a redirect to the loginpage on the AD server just fine and can enter UserId and Password without any problems but on return there should be a cookie saved but it isn't. Result is that on the next roundtrip the redirect happens again (this time without the login form though).

The debug code only hits the RedirectToIdentityProvider. None of the other is called.

The code is in the Startup.cs for OWIN.

private static void ConfigureAuth(IAppBuilder app, ISettings settings) {     app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);      // Work-around to fix Katana issue 197: https://katanaproject.codeplex.com/workitem/197     // https://github.com/KentorIT/owin-cookie-saver     app.UseKentorOwinCookieSaver();     app.UseCookieAuthentication(new CookieAuthenticationOptions     {         AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType     });      app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions     {         Wtrealm = settings.WsFedRealm,         MetadataAddress = settings.WsFedMetadataUrl,         TokenValidationParameters = new TokenValidationParameters         {             NameClaimType = ClaimsExtensions.WurNameIdentifier,             SaveSigninToken = true,             // ValidIssuer = settings.ValidIssuer         },         Notifications = new WsFederationAuthenticationNotifications         {             MessageReceived = context =>             {                 Log.Info($"Message received {context.ProtocolMessage}");                 return Task.FromResult(0);             },             RedirectToIdentityProvider = context =>             {                 Log.Info($"Redirect to identity provider {context?.Request?.Uri?.AbsolutePath}");                 return Task.FromResult(0);             },             SecurityTokenValidated = context =>             {                 Log.Info("Security token validated");                 return Task.FromResult(0);             },             SecurityTokenReceived = context =>             {                 Log.Info($"SecurityTokenReceived {context?.Response?.ReasonPhrase}");                 return Task.FromResult(0);             },             AuthenticationFailed = context =>             {                 Log.Error($"Authentication failed Uri:{context.Request?.Uri} User:{context.Request?.User?.Identity?.Name}");                 context.HandleResponse();                 context.Response.Redirect("~/Error?message=" + context.Exception.Message);                 return Task.FromResult(0);             }         }     });      app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);     AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name; } 

1 Answers

Answers 1

I think, the problem is, that both Middlewares have the AuthenticationMode Active

I recommend an custom controller. If the user visits this controller you must trigger the Authentication on the OwinContext.Authentication manually for the WsFederationAuthenticationDefaults.AuthenticationType and return an 401. That should trigger the ApplyResponseChallengeAsync in the WsFederationAuthenticationHandler

In the SecurityTokenValidated Method on the WsFederationAuthenticationOptions.Notifications you can issue a new AuthTicket with an identity of type CookieAuthenticationDefaults.AuthenticationType.

Now the identity from the identity provider is converted to a an local identity with cookieauth.

If You Enjoyed This, Take 5 Seconds To Share It

• Facebook
• Twitter
• Google+
• StumbleUpon
• Digg
• Delicious
• LinkedIn
• Reddit
• Technorati