Tuesday, September 23, 2014

ADFS : The joys of hidden context

Playing around with ADFS 3.0 on Server 2012 R2 and found yet another difference with ADFS 2.x.

Imagine you have a number of .NET applications going via ADFS as a RP-STS going to another IP-STS.

Now on the IP-STS you want to know which RP the authentication request is coming from.

All the ADFS requests are coming through one channel so parameters like "Referer: " are useless.

In your RP web.config you can add a parameter like wreply or wtrealm as per wsFederation.

You'll see these in the URL going to ADFS in the &wctx section. But there's nothing going to the IP-STS. ADFS "removes" them. Instead there is a &wctx which is a GUID.

And there is a cookie on the way which looks like:

MSISContextc1da81dd-46b6-4cee-b051-9c0e7a298527=xxxyyy==

where xxxyyy is Base64 encoded.

In ADFS 2.0, there was an entry in the web.config which told ADFS not to encode this information in a cookie but to send it as part of the query string - which makes for a lll-oon-nnn-ggg query string!

This entry was:

context hidden="true"
ADFS
But in ADFS 3.0 there is no actual web.config, You have to look in:

C:\Windows\ADFS

and there's a file called:

Microsoft.IdentityServer.Servicehost.exe.config

but it has no such entry.

The trick is to use PowerShell:

 Set-AdfsWebConfig -ContextCookieEnabled $False

Enjoy!

3 comments:

Petter Sjödahl said...

Did this really work?
I have tried to set ContextCookieEnabled to False but ADFS 3.0 still not pass on RP realm to IP-STS in the url.

Anonymous said...

Did this really work?
I have tried to set ContextCookieEnabled to False but ADFS 3.0 still not pass on RP realm to IP-STS

nzpcmad said...

Yup - worked for me.