1

I am relatively new to the whole SSO scene, so do bear with me if this seems trivial.
I seem to have encountered a somewhat strange issue and I'm not sure how to even begin looking it up anywhere.

I am implementing a WS-Fed ADFS for my organization using the On-Premises option in ASP.NET MVC, which implements the whole thing using OWIN.

The implementation works fine because it works on my PC's Chrome browser, but nowhere else. But I know it works because I was able to capture the data through Fiddler

Fiddler Info

You'll notice that there is continuous back and forth between my website and the ADFS, even though the login is successful and the data retrieved is also correct.
After a few bounces, I get an error page

ADFS error
This is my Web.Config 
<configuration>
  <appSettings>
    <add key="webpages:Version" value="3.0.0.0" />
    <add key="webpages:Enabled" value="false" />
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
    <add key="ida:ADFSMetadata" value="https://xyz-test.azurewebsites.net/FederationMetadata/2007-06/federationmetadata.xml" />
    <add key="ida:Wtrealm" value="https://xyz-test.azurewebsites.net/" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5.2" />
    <httpRuntime targetFramework="4.5.2" />
  </system.web>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Optimization" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="1.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="0.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="1.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
  <system.codedom>
    <compilers>
      <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:6 /nowarn:1659;1699;1701" />
      <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:14 /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+" />
    </compilers>
  </system.codedom>
</configuration>

RouteConfig.cs

public static void RegisterRoutes(RouteCollection routes)
{
    routes.IgnoreRoute("{resource}.axd/{*pathInfo}");

    routes.MapRoute(
        name: "Default",
        url: "{controller}/{action}/{id}",
        defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional }
    );
}

HomeController

[Authorize]
public class HomeController : Controller
{

    public ActionResult Index()
    {
        return View((User as ClaimsPrincipal).Claims);
    }
}

I would like to understand how to resolve this. And why/how is it even working on my PC's Chrome browser?

Sanketh. K. Jain
  • 489
  • 1
  • 9
  • 24
  • Have you done like in this guide? http://dev.haufe.com/haufe-adfs-identity-for-aspnet-login/ – mortb Mar 23 '17 at 08:15
  • @mortb Yes. The Identity server is not in my control, obviously, but besides that everything is as per the link – Sanketh. K. Jain Mar 23 '17 at 08:52
  • I think that the received authentication data should be stored as cookies. Are there any cookies set? – mortb Mar 23 '17 at 09:00
  • @mortb Yes yes. That works too. Like I mentioned, it works on my Chrome perfectly. – Sanketh. K. Jain Mar 23 '17 at 09:02
  • Did you sanitise correctly?ida:ADFSMetadata value should be the AD FS which I doubt is at the same hostname as the website. The error is the loop detection logic kicking in at AD FS and stopping the loop going any further unnecessarily. You need to enable logging at the app side to see why it returns the user back to AD FS for a new logon. It doesn't like the token received or has some data required that's missing. Its entirely possible the tokens issued for you are different than those issued for other users. Basically, you need to see why the app doesn't like the token. – maweeras Mar 23 '17 at 22:05
  • @maweeras Any suggestions on how I should see that? And identify what I'm looking for? Also, the ida:ADFSMetadata link is the link to the metadata located in my website's path, because there were other issues when trying to access the path at the ADFS server like this error that I posted a few days ago - http://stackoverflow.com/questions/42909431/implementing-the-xmlreadersettings?noredirect=1#comment72918677_42909431 – Sanketh. K. Jain Mar 27 '17 at 06:15
  • The adfs metadata is mandatory and can not be substituted by something else. Have you copied adfs metadata to a location on web server? – maweeras Mar 27 '17 at 08:46
  • Yes, the metadata has been copied from the ADFS server. – Sanketh. K. Jain Mar 27 '17 at 11:29

2 Answers2

1

It's been a long time coming, but I found out what was causing this issue.

This, and a few other issues attributed to ADFS login using OWIN, especially if you're using the default code provided by Microsoft, are because of a bug in the default cookie manager being used by OWIN, in .NET 4.5.

Found the answer here. To be fair, it is more of a workaround than a solution.

This basically uses SystemWebCookieManager as the custom cookie manager, and everything works the way it should.

Also, you'll can get the code for SystemWebCookieManager from here and its dependent class can be found here.
Note:It looks like it is a code from the Katana project, so make sure that you include the copyright comments too, and include these two classes into your solution.

From here on out, it's life as usual for the ADFS, no more change required (unless you're doing something else).

Sanketh. K. Jain
  • 489
  • 1
  • 9
  • 24
  • 1
    Wow. I've been trying to figure this out for (actual) weeks now, and I think I'm running into the same problem. This was painful. – shortstuffsushi Dec 13 '18 at 19:23
0

Looks like you are running into WsFederation Authentication login loop . I see you access your app over http and not https.

Community
  • 1
  • 1
maweeras
  • 783
  • 4
  • 12