Friday, December 08, 2017

ADFS : InvalidContextException: MSIS7001

The full error message is:

Microsoft.IdentityServer.Web.CookieManagers.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.

I've often wondered what this means?

Then I had a issue which I could repeat and with the help of @Pierre, I sorted it out.

My path was:

Application --> ADFS --> SAML --> Another IDP -->  Another IDP

The request was:

?SAMLRequest=fZ...gE%3d&RelayState=620d9067-4bc1-439b-ad21-0d419d3cbd19

This results in:

Set-Cookie: MSISContext620d9067-4bc1-439b-ad21-0d419d3cbd19=UlB...cw==; path=/adfs; HttpOnly; Secure

Notice that the RelayState is added to the name of the cookie.

Somewhere upstream, the RelayState changed.

When the response comes back to ADFS, ADFS checks for a cookie with the new RelayState name that doesn't exist.

Hence the error.

Enjoy!