question

CedricD-1021 avatar image
1 Vote"
CedricD-1021 asked ·

How to configure ADFS as Service Provider and get MSISAuth ADFS Cookies?

Hello,

I'm on ADFS 4.0 (Windows Server 2016).

  • I have an application A which doesn't want to use the ADFS login page.

  • I have an application B declared as "Relying Party Trust" for the ADFS.


  • I configure my App A as "Claims Provider Trust".

  • The App A creates and signs a SAMLResponse

  • The App A POST the signed SAMLResponse to ADFS /adfs/ls/idpinitiatedsignon

  • ADFS check the SAMLResponse and redirect the user to the idpinitiatedsignon and says "your are connected".

  • When I try to go to App B, I have to authenticate my user to ADFS


  • When I check the cookies, I see SamlSession, MSISIPSelectionPersistent, MSISAuthenticated and MSISLoopDetectionCookie.

  • Is there a way to get the ADFS MSISAuth Cookie with this flow?


In the logs I have these messages :
- A warning : SSO token is null or empty. Cannot write SSO token to Cookies.
- An error : The supplied Claims Provider Trust property https://myidp.app.A from session cookie is not valid

Thank you in advance for your help.

adfs
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What do you mean by "I have an application A which doesn't want to use the ADFS login page." it doesn't not work? or you don't to use ADFS for the auth? Also is that application an actual SAML IdP? Why adding AppA as a claim provider. I am a bit confused by the scenario :/

0 Votes 0 ·

1 Answer

CedricD-1021 avatar image
0 Votes"
CedricD-1021 answered ·

Hi @piaudonn

The App A has it own login page.
It's a portal wich allows access to other apps.
The App A wants to use ADFS for authentication but doesn't want to use ADFS login page. It's a request from the Project Owner.

1st try: By API
- First I checked if there is ADFS API to do this. Apparently not.

2nd try: With SOAP resquest
- Then I use the adfs/services/trust/13/usernamemixed url to send the login/pwd from the App and get a SAML Assertion.

The App B is is access by a link in App A.
In ADFS, I created a relying party trust for App A and App B.

It works but there isn't ADFS cookies (no MSISAuth). When the user goes from the portal App A to App B there is no SSO.

3rd try: With a SAMLResponse
- Because the App A is a portal, the PO wants to try this pattern :
App A (SP) <> ADFS (IdP) then App A (IdP) <> ADFS (SP) - ADFS (IdP) <> App B (SP)
Here a diagram to explain the use case.

10264-capture.jpeg



capture.jpeg (83.8 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.