Sitecore SSO via SAML2- AuthenticateRequest not firing

Question

This is my first question here, so please let me know if I have missed something or need to provide more information!

Key details:

• C# 4.5
• IIS 7.5 (Win 2008 R2)
• Sitecore 6.6 rev 130529

I'm attempting to link Sitecore to the VS2012 LocalSTS instance provided by the Visual Studio Identity and Access Tool, following a blog post by Kevin Buckley (link) which was written before WIF was integrated into C# 4.5. I am attempting to perform passive RP behaviour.

I have updated the Microsoft.IdentityModel namespaces to System.IdentityModel and System.IdentityModel.Services namespaces as appropriate.

My <system.IdentityModel> section is as below:

<system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="http://localhost/" />
      </audienceUris>
      <certificateValidation certificateValidationMode="None" />
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="LocalSTS">
          <keys>
            <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" />
          </keys>
          <validIssuers>
            <add name="LocalSTS" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
    </identityConfiguration>

My <system.identityModel.services> is as below:

<system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="false" />
      <wsFederation passiveRedirectEnabled="true"
    issuer="http://localhost:14691/wsFederationSTS/Issue"
    realm="http://localhost/"
    reply="http://localhost/sitecore modules/fedauthenticator/sso"
    requireHttps="false" />
    </federationConfiguration>
  </system.identityModel.services>

I have added the relevant modules (WSFederationAuthenticationModule, SessionAuthenticationModule) under <system.webServer><modules> :

   <add type="Sitecore.Web.RewriteModule, Sitecore.Kernel"
        name="SitecoreRewriteModule" />
   <add type="Sitecore.Nexus.Web.HttpModule,Sitecore.Nexus"
        name="SitecoreHttpModule" />
   <add name="WSFederationAuthenticationModule"
        type="System.IdentityModel.Services.WSFederationAuthenticationModule,
              System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral,
              PublicKeyToken=b77a5c561934e089"
        preCondition="managedHandler" />
   <add name="SessionAuthenticationModule"       
        type="FedAuthenticator.Authentication.WSSessionAuthenticationModule,
              FedAuthenticator"
        preCondition="managedHandler" />

The behaviour I am seeing is as follows:

• User navigates to a page that is protected by Sitecore
• WIF FAM module fires and at EndRequest, determines that a 401 status is returned
• WIF FAM redirects to LocalSTS IdP as per settings (with appropriate querystring)
• Javascript auto-submits form - I have disabled JS in browser for testing this but it works
• LocalSTS page POSTs to URL specified in reply attribute with token information in the wresult field of the form

This is where the issue occurs. My understanding is that the FAM hooks the AuthenticateRequest event and then proceeds to detect the security token (via the presence and values of the wa and wresult form fields) and decodes the SSO token.

My issue is that this never occurs - I have enabled tracing and overridden the WSFederationAuthenticationModule to check, and although it correctly detects the event the first time and calls the CreateSignInRequest and RedirectToIdentityProvider steps, the subsequent POST to the site (containing the token) does not fire AuthenticateRequest and hence the FAM does not detect, create a cookie, or assign the correct IPrincipal to the request.

This leads to an endless loop where the request receives 401, is 302 redirected to the LocalSTS SSO page, which submits, POSTs to the Sitecore SSO page, which delivers a 401, etc etc.

Can anyone provide some insight into something I am missing, or anything else that might be hindering the FAM from detecting the POST request with token information in it?

Answer 1

Embarrassingly, to answer my own question - the reason this was occurring was that the response parameter was directing the SSO form POST to a URL that Sitecore responded to with a redirection to the NotFound page (ie the POST target was resolved by Sitecore to not exist).

As the NotFound page did not have any security, AuthenticateRequest was not firing.

I have yet to work out why the NotFound page was causing a redirect back to the SSO page - but at least now, once I corrected the incorrect value in the response configuration field, the token is being detected by the FAM and correctly processed for later modules (SAM, etc).

Edit - found the cause of the redirect loop

The redirect loop was caused by an erroneous setting in the web.config, which looked like below:

<authorization>
  <deny users="?"/>
</authorization>

This meant that the token was posted to the NotFound page, which Sitecore apparently intercepts the request for and hence wasn't firing the FAM, therefore the user was not authenticated. This resulted in a 401 response code (due to the deny statement) that kicks off the SSO redirect - creating a loop.