ADFS/SSO : Infinite loop when using iframe in SP2010 to load external application because of IE security settings

Question

We're experiencing the same problems. We have SP2010 with ADFS in place. In an iFrame we're loading an external application which is also configured to use ADFS.

If we place an on the page we can open the external app without logging in so SingleSignOn works.

However if we load the external application in an iframe we experience problems.

If we run Fiddler to see which calls are made we see the "normal" adfs flow. When adfs return with the Redirect to the url of the external app the FedAuth cookies provided are not included in the Post-request to the external app. Since the external app does not recieve the cookies we end up in an infinite loop.

The problem is caused by IE treating the authentication cookie as a third party cookie. It's security settings prevent it from adding the cookie to the request. When we change the IE privacy settings to low (accept all cookies) everything works fine.

Does anyone have any idea how we can fix this?

Answer 1

We have resolved this issue once by putting a dummy "starting" page so that Sharepoint users first hit this page and are forced to authenticate in ADFS.

Then, only on a subsequent page you have your iframe. Even if the iframe doesn't get cookies from the container page, it doesn't really matter - the context is redirected to the ADFS, ADFS issues the token silently (as the user is ALREADY authenticated in ADFS) and the application hosted in the iframe processes the token.

I am not sure why you expect the ADFS response to your application to carry cookies? It never does so, it only carries the SAML token in the response body.