Tuesday, September 23, 2014

ADFS : The joys of hidden context

Playing around with ADFS 3.0 on Server 2012 R2 and found yet another difference with ADFS 2.x.

Imagine you have a number of .NET applications going via ADFS as a RP-STS going to another IP-STS.

Now on the IP-STS you want to know which RP the authentication request is coming from.

All the ADFS requests are coming through one channel so parameters like "Referer: " are useless.

In your RP web.config you can add a parameter like wreply or wtrealm as per wsFederation.

You'll see these in the URL going to ADFS in the &wctx section. But there's nothing going to the IP-STS. ADFS "removes" them. Instead there is a &wctx which is a GUID.

And there is a cookie on the way which looks like:

MSISContextc1da81dd-46b6-4cee-b051-9c0e7a298527=xxxyyy==

where xxxyyy is Base64 encoded.

In ADFS 2.0, there was an entry in the web.config which told ADFS not to encode this information in a cookie but to send it as part of the query string - which makes for a lll-oon-nnn-ggg query string!

This entry was:

context hidden="true"
ADFS
But in ADFS 3.0 there is no actual web.config, You have to look in:

C:\Windows\ADFS

and there's a file called:

Microsoft.IdentityServer.Servicehost.exe.config

but it has no such entry.

The trick is to use PowerShell:

 Set-AdfsWebConfig -ContextCookieEnabled $False

Enjoy!

8 comments:

Unknown said...

Did this really work?
I have tried to set ContextCookieEnabled to False but ADFS 3.0 still not pass on RP realm to IP-STS in the url.

Anonymous said...

Did this really work?
I have tried to set ContextCookieEnabled to False but ADFS 3.0 still not pass on RP realm to IP-STS

nzpcmad said...

Yup - worked for me.

tanzeel said...

this does work , but is it good practice?

tanzeel said...

this does work , is it good practice ?

nzpcmad said...

I don't see any issues here. Nothing secret is exposed.

Matt said...

I know this is a super old post but what is the MSISContext cookie and how do I clear it? I'm using IdentityServer has a claims provider per your tutorial but if the user gets an error in IdeneityServer, the next time he initiates the logon process the MSISContext cookie gets too big. The large cookie contents causes the error "Bad Request - Header Field Too Long" on the adfs/ls url.

nzpcmad said...

You can clear it from the privacy option in the browser.

I don't think you can clear it automatically.

From memory, it supplies some context about the call to an external IDP.