ADFS “MSISIPSelectionSession” cookie created and then deleted during RP-STS mode WS-Federation passive sign in
we’re using adfs (on windows server 2012 datacenter edition) in rp-sts mode configured ws-federation passive sign in. there multiple rps, , multiple upstream ip-stss configured.
desired behaviour follows:
1. user browses first rp, , redirected adfs.
2. adfs displays home realm discovery page, , user chooses ip-sts.
3. adfs stores session cookie “msisipselectionsession” remember choice user made.
4. adfs sends sign in request chosen ip-sts, authenticates user, , issues sign in response adfs.
5. adfs issues sign in response rp, windows identity foundation takes care of rest.
6. user browses 2nd rp, , redirected adfs.
7. adfs uses ip-sts choice made previously, via “msisipselectionsession” session cookie.
8. adfs sends sign in request chosen ip-sts, authenticates user, , issues sign in response adfs.
9. adfs issues sign in response rp, windows identity foundation takes care of rest.
works perfectly, 1 strange problem:
“msisipselectionsession” session cookie created correctly @ step 3, it’s cleared @ step 5 when adfs issues sign in response rp. means when user browses 2nd rp , redirected adfs, they’re re-presented home realm discovery page rather previous selection being used automatically.
documentation on adfs configuration (http://msdn.microsoft.com/en-us/library/ee895366.aspx) suggests should work desired:
persist identity provider selection. element specifies how long save user’s selection of identity provider sts (ip-sts). default, selection stored in persistent cookie 30 days. saves user having specify ip-sts every time or signs in. following element saves selection 90 days:
<persistidentityproviderinformation enabled="true" lifetimeindays="90" />
set enabled attribute false track identity provider selection current browser session. in case, not have specify lifetimeindays attribute.
<persistidentityproviderinformation enabled="false" />
our configuration based on latter example.
i’ve looked @ adfs source code, , it’s clear why cookie being created , subsequently deleted:
sendsigninrequest method (in microsoft.identityserver.web.federationpassiveauthentication, microsoft.identityserver.dll, 6.2.9200.16645) makes following method call, maps step 3 of behaviour flow:
federationpassiveauthentication.saveipselectionsessioncookie(identityprovider.samlentityid.originalstring);
sendsigninresponse method (in microsoft.identityserver.web.federationpassiveauthentication, microsoft.identityserver.dll, 6.2.9200.16645) makes following method call, maps step 5 of behaviour flow:
federationpassiveauthentication._ipselectioncookiemanager.deletesessioncookie();
i’m unable understand why call deletesessioncookie method made when issuing response. i’ve applied available updates, , been reading documentation, forums, blogs etc. days try , understand, i’ve not found examples of else that’s come across issue.
desired behaviour follows:
1. user browses first rp, , redirected adfs.
2. adfs displays home realm discovery page, , user chooses ip-sts.
3. adfs stores session cookie “msisipselectionsession” remember choice user made.
4. adfs sends sign in request chosen ip-sts, authenticates user, , issues sign in response adfs.
5. adfs issues sign in response rp, windows identity foundation takes care of rest.
6. user browses 2nd rp, , redirected adfs.
7. adfs uses ip-sts choice made previously, via “msisipselectionsession” session cookie.
8. adfs sends sign in request chosen ip-sts, authenticates user, , issues sign in response adfs.
9. adfs issues sign in response rp, windows identity foundation takes care of rest.
works perfectly, 1 strange problem:
“msisipselectionsession” session cookie created correctly @ step 3, it’s cleared @ step 5 when adfs issues sign in response rp. means when user browses 2nd rp , redirected adfs, they’re re-presented home realm discovery page rather previous selection being used automatically.
documentation on adfs configuration (http://msdn.microsoft.com/en-us/library/ee895366.aspx) suggests should work desired:
persist identity provider selection. element specifies how long save user’s selection of identity provider sts (ip-sts). default, selection stored in persistent cookie 30 days. saves user having specify ip-sts every time or signs in. following element saves selection 90 days:
<persistidentityproviderinformation enabled="true" lifetimeindays="90" />
set enabled attribute false track identity provider selection current browser session. in case, not have specify lifetimeindays attribute.
<persistidentityproviderinformation enabled="false" />
our configuration based on latter example.
i’ve looked @ adfs source code, , it’s clear why cookie being created , subsequently deleted:
sendsigninrequest method (in microsoft.identityserver.web.federationpassiveauthentication, microsoft.identityserver.dll, 6.2.9200.16645) makes following method call, maps step 3 of behaviour flow:
federationpassiveauthentication.saveipselectionsessioncookie(identityprovider.samlentityid.originalstring);
sendsigninresponse method (in microsoft.identityserver.web.federationpassiveauthentication, microsoft.identityserver.dll, 6.2.9200.16645) makes following method call, maps step 5 of behaviour flow:
federationpassiveauthentication._ipselectioncookiemanager.deletesessioncookie();
i’m unable understand why call deletesessioncookie method made when issuing response. i’ve applied available updates, , been reading documentation, forums, blogs etc. days try , understand, i’ve not found examples of else that’s come across issue.
hi,
for adfs issue, suggest ask in:
http://social.msdn.microsoft.com/forums/vstudio/en-us/home?forum=geneva
regards.
vivian wang
Windows Server > Directory Services
Comments
Post a Comment