Home > ADFS, DNN, SiteMinder > I Was Wrong About Being Wrong

I Was Wrong About Being Wrong

So, I am still trying to tackle the problem of how to make DNN integrate with ADFS without having to write a whole new authentication system. I was able to get the ADFS redirection and authentication to work, but the ADFS authentication cookies were not being sent with the AJAX requests to the ScriptReference.AXD and WebReference.AXD. The requests were not sending the ADFS cookies with the requests and were being redirected to the authentication page.

The last solution of redirecting to a virtual directory worked but, I had a nagging feeling that this was not necessary. As it turns out, I was right. The original solution will work if you set your ADFS cookie path to “/”. The test I was running was in a virtual directory and so I set the cookie path to “/VirtualDirectory” thinking this was needed for the ADFS piece to work.

I modified my HTTP module to be configurable to run either scenario (redirected or not). I changed the ADFS cookie path and tested it and everything worked correctly.

Advertisements
Categories: ADFS, DNN, SiteMinder
  1. Jay
    September 14, 2010 at 5:55 pm

    I didn’t understand this last part. What from your first part needs to change?

    • rbinnington
      September 14, 2010 at 8:52 pm

      I re-read the original post and I messed up a bit. The websso section of the web.config needs to have a cookies section defined that points the path to the root (/) so that the cookies will be returned with every call. The original post did not set the cookies and so SAML cookies were not being sent with subsequent calls. Here is an example of what it should look like.

      <system.web>
      …
          <websso>
              <authenticationrequired />
              <auditlevel>55</auditlevel>
              <urls>
                  <returnurl>https://your_application/</returnurl>
              </urls>
              <cookies writecookies="true">
                      <path>/</path>
      	        <lifetime>240</lifetime> 
              </cookies>
              <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
          </websso>
      …
      </system.web>
      
  2. Bob Everland
    June 20, 2011 at 5:29 pm

    Did you ever get this to work? I’m trying to get this to work with ADFS 2 and I can’t get the user to login and stay logged in to DNN. I have an event that is thrown that says I logged in, but everything else in DNN thinks I haven’t.

    • rbinnington
      June 20, 2011 at 6:13 pm

      For the most part yes I have gotten it to work. We have more the opposite problem. Once they are logged in they stay logged in. Somehow the ADFS proxy keeps their creds cached and keeps using them for up to 20 mins. This may be doing the opposite for you. The ADFS server may have configuration that keeps the certificate lifecycle time low. We are still looking into this.

      Are you getting redirected at all? One thing I did to troubleshoot is to put in a db call to insert into a table to log everything that happens and step through the HTTPModule. This way I make sure everything is flowing through correctly.

      HTH,

      Richard

  3. Bob Everland
    June 21, 2011 at 8:34 pm

    The problem I am having is that I can’t have more than one type of authentication with ADFS 2. I am logged in through ADFS, but I can’t get the DNN credentials to work. Would you be able to link your full web.config so I can see if there is something I have done incorrectly.

  4. Bob Everland
    July 11, 2011 at 4:01 pm

    In doing some more research on this issue I can’t set a forms authentication ticket while I’m using ADFS for authentication. Once I removed ADFS and went back to forms the cookie I set was still there and I was still logged into the application. How did you get past this issue? Maybe it’s a difference with ADFS 1 to ADFS 2. I can make a subapplication that will then set a cookie then redirect, but that’s not the most elegant solution. Any thoughts?

  5. Bob Everland
    July 12, 2011 at 12:39 pm

    I figured out what the issue was. With ADFS 2 it comments out a bunch of lines in the web.config and adds a bunch of its own. It commented out forms authentication and added in authentication of none. So no matter what I was doing it wasn’t going to work because I told it that I was no longer using forms authentication. Once I commented out the none and put back in the forms everything works perfectly. Thank you for these articles.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: