4

We have a site which relies on federated authentication using Active Directory Federation Services (ADFS) and WSFederationAuthenticationModule.

The site also employs a set of XHR requests fired upon user interaction. One particular example is a drop-down menu which allows the user to impersonate other users. Another one is the faceting functionality on a site-wide search page.

The problem is that the session expires when a user stays inactive on a page for certain amount of time. In normal HTTP requests when user clicks on a link, for example, this is not a problem. Upon session expiration the user is redirected to the STS and promptly back again without the user ever noticing - it's happens quickly enough.

But XHR requests fail. The actual error message in the console is:

XMLHttpRequest cannot load https://adfs.contoso.com/adfs/ls/... 
No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin 'https://www.example.com' is therefore not allowed access.

It seems that the XHR request cannot redirect to the STS and subsequently back to the relying party like it happens with a regular HTTP request as this causes a CORS problem.

This naturally breaks all elements on the page relying on particular javascript. The only way for the user to work around this is to refresh the page when the problem occurs.

What would be the correct way to solve this?

user5254475
  • 49
  • 1
  • 3

2 Answers2

1

The only solution that worked for me, was the one provided by Pinpont in this answer : https://stackoverflow.com/a/28631956/6299975

That is what I did to implement sliding expiration.

app.UseCookieAuthentication(new CookieAuthenticationOptions() 
{ 
    SlidingExpiration = false 
});
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
   {
      MetadataAddress = xxxxxxx,
      Wtrealm = xxxxxx,
      UseTokenLifetime = false,
   }

);

SlidingExpiration = false in CookieAuthenticationOptions

UseTokenLifetime = false in WsFederationAuthenticationOptions

Community
  • 1
  • 1
Raúl Martín Ramos
  • 636
  • 7
  • 11
0

Add this to the web config in the ADFS ls folder, or the corresponding on the ADFS Proxy if you are using one. 

<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <system.webServer>
   <httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="*" />
     </customHeaders>
   </httpProtocol>
 </system.webServer>
</configuration>

ref: http://enable-cors.org/server_iis7.html

MatthewMartin
  • 32,326
  • 33
  • 105
  • 164
  • While it is somewhat typical in the Microsoft-land to just lower security barriers when something does not work, I'm a bit skeptical whether this is the right approach. It surely would fix the problem, but it would simultaneously be a global setting affecting the whole ADFS Proxy. Although in this case it might be relatively low-risk, I've would much prefer working around it on the client side. – user5254475 Jun 12 '15 at 06:03
  • Then move the application & ADFS ls all to the same domain. Or specifically list what domains you trust: https://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work – MatthewMartin Jun 12 '15 at 14:03