Share ADFS/WIF federated claims cookie on multiple virtual applications (but the same domain)

1
votes

I'm trying to (re)use ADFS 2/WIF claims based authentication cookies for multiple different applications running on the same domain.

So I have these applications/virtual directories that I would like to reuse the same authentication cookie:

In the portal, I'd like to include (client side authenticated) content from myapp, so I don't want every app to be authenticated separately with a redirect to STS/ADFS.

I thought this would be pretty straightforward as they could both access the same cookie as they reside on the same domain, but the cookie is only valid for the application it was created in (FedAuth and FedAuth1 cookie paths are restricted to "/portal/")

When I set the 'path' in the cookieHandler settings to "/", I will get an exception:

[SecurityTokenException: ID4291: The security token 'System.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint.]
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.ValidateToken(SessionSecurityToken token, String endpointId) +1008632
   System.IdentityModel.Services.SessionAuthenticationModule.ValidateSessionToken(SessionSecurityToken sessionSecurityToken) +351
   System.IdentityModel.Services.SessionAuthenticationModule.SetPrincipalFromSessionToken(SessionSecurityToken sessionSecurityToken) +91
   System.IdentityModel.Services.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +66
   System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +929
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

I've tried to use the Microsoft.Owin.Security.WsFederation beta packages mentioned in this article as an alternative, no success getting this running: http://blogs.msdn.com/b/webdev/archive/2014/02/21/using-claims-in-your-web-app-is-easier-with-the-new-owin-security-components.aspx

Before I'm going to try to override methods in the SessionSecurityTokenHandler, is it even possible what I'm trying to achieve?

Thanks in advance!

3
asp.netcookieswifclaims-based-identityadfs2.0

3 Answers

4
votes

Change cookieHandler as below in system.identityModel.services --> federationConfiguration

  <federatedAuthentication>
       <cookieHandler requireSsl="true" path="/" />
  </federatedAuthentication>
0
votes

It was actually pretty simple to do it, by replacing MachineKeySessionSecurityTokenHandler with a custom implementation that get's rid of the token validation:

public class SharedSecurityTokenHandler : MachineKeySessionSecurityTokenHandler

   public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SessionSecurityToken token, string endpointId)
   {
      if (token == null) throw new ArgumentNullException("token");
      if (endpointId == null) throw new ArgumentNullException("endpointId");

      return ValidateToken(token);
   }
 }

the just registering it here in the web.config:

<system.identityModel>
    <identityConfiguration>
      <securityTokenHandlers>
        <add type="Security.Web.SharedSecurityTokenHandler, Security.Web, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

      </securityTokenHandlers>
    </identityConfiguration>
  </system.identityModel>
0
votes

I've been trying to achieve the same thing and found that SessionAuthenticationModule.ValidateSessionToken(SessionSecurityToken sessionSecurityToken) calls:

securityTokenHandler.ValidateToken(sessionSecurityToken, this.CookieHandler.Path)

..where the second argument is endpointId. Therefore, configuring both my apps with:

<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler domain="example.com" path="/" />
    ...
  </federationConfiguration>
</system.identityModel.services>

..allowed the validation in MachineKeySessionSecurityTokenHandler to pass.