Databases
StackOverflow2013
Postsdbo
POHow to see the redirect status from an STS / IdP
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to see the redirect status from an STS / IdP
    primarykey
    data
    text
    <p>I have searched (probed ,even) for an answer to this but haven't come up with anything useful so far. I'm pretty new to ADFS, STS's in general and WIF so please excuse any obvious ignorance or inappropriate use of terminology. ;)</p> <p>I'm currently integrating a custom MVC3 app with an external IdP, via ADFS. The ADFS to IdP setup is all done and working. </p> <p>Some parts of the site are accessible to anon users - in the web.config authentication mode has been set to none. The other parts are protected by having their controllers/action methods decorated by a custom System.Web.Mvc.AuthorizeAttribute. </p> <p>All the usual modifications to the web.config for using the WsFederationAuthenticationModule have been made and it works 95%; the user can browse to the anon accessible parts of the site. When they try and hit the protected parts, the authorize attribute checks if they have some custom information from our IdP in the IClaimsPrincipals associated with the HttpContext.Current.User and then sets the ActionResult to 401 if not; The WsFederationAuthenticationModule kicks in and redirects them to the IdP's login page. When they enter their details, they're then successfully redirected with some FedAuth cookies and the authorization then passes.</p> <p>The problem starts when they get to the IdP's login page. This particular IdP has a link to return you directly to our site (to the same page the original request was made to), with this SAML response embedded somewhere (this is according to their documentation)</p> <p>urn:oasis:names: tc:SAML:2.0:status: AuthnFailed</p> <p>At this point, they are now "Unauthorized" and all the user will see (at least in dev) is a 401 page. You have to kill the session or otherwise get rid of that cookie to start again.</p> <p>What I need to do is intercept that redirect request from the IdP, and essentially check for that particular SAML status, because the user should then be redirected to one of the unauthorized areas as if nothing has happened. I've tried something like this in the global.asax:</p> <pre><code> protected void Application_Start() { // mvc stuff here.... // add handler to intercept handling creation of security tokens by WsFederationAuthnticationModule FederatedAuthentication.ServiceConfigurationCreated += OnServiceConfigurationCreated; } void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { FederatedAuthentication .WSFederationAuthenticationModule .SessionSecurityTokenCreated += WSFederationAuthenticationModule_SecuityTokenCreated; } public void WSFederationAuthenticationModule_SecuityTokenCreated (Object sender, SessionSecurityTokenCreatedEventArgs args) { var token = args.SessionToken; // do something with the session token here e.g. check for SAML status } </code></pre> <p>.. but I cant see anything useful on that token; nothing to indicate a specific response status. The fact that there is a FedAuth cookie <em>at all</em> but no custom info from the Idp is a dead give away that the user has been there but somehow failed to authenticate, but in principle I want to be able to see that status. I might have to deal with timeouts at the IdP as well....</p> <p>Maybe I'm doing this all wrong, or just plain old don't understand, but can somehow fill me in on how to determine those response statuses?</p> <p>Phew. Thank you! :D</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USoolong
    1. USoolong
    plurals
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow to see the redirect status from an STS / IdP
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload