How to deal with stale claims in WIF?

0
votes

How to deal with stale claims in WIF?

Here's the setup:

  1. I have a WIF STS that provides authentication for many different MVC web applications. The STS also provides claims, like privileges, email, etc.

  2. I have an MVC application we'll call MyApp that uses the STS for authentication and consumes the claims provided.

  3. I have an MVC application we'll call MyManager that allows an admin to change any user's claims, for example privileges associated with a user.

Here's the problem:

  1. User "MisterUser" logs into MyApp and gets the FedAuth cookies that contain his claims - including a custom "MyAppUser" (privilege) claim. MyApp checks for this claim to verify the user can make requests on MyApp.

  2. Concurrent with MisterUser's session, "Admin" logs into MyManager and removes the MyAppUser claim from MisterUser.

  3. MisterUser can still continue to use MyApp until his session expires because the FedAuth cookies have already been written and are good for that session.

Obviously what I want to have happen here is to shut down MisterUser's access immediately after Admin removes his MyAppUser (privilege) claim. What is the best way I can accomplish this task?

It's entirely possible this is a common problem with a straightforward solution but I have been unable to discover any real insights upon hours of searching.

Any help is greatly appreciated!

1
wifclaims
There is, if using ADFS, a signout request that you could try to use, see this SOlinkManyRootsofAllEvil

1 Answers

0
votes

As you state, the claims are valid for the session. They are not dynamic and (if you think about it) implementing some kind of STS dynamic update would be a nightmare.

Claims are updated when you login so the only way to handle this is to logout and then login "under the hood" so the user is not aware of this.

I asked a similar question - refer: Updating claims with ADFS and WIF and the answer there.