Reputation: 186
ADFS - ID1059: Cannot authenticate the user because the URL scheme is not https and requireSsl is set to true
We have a website hosted and configured to use ADFS 2.0 for SSO. When I browse the web site via https, I am getting the below error.
I think the reason is that the load balancer is hitting the web server with http. If I change the below entry in the web.config it may fix, but not sure about the side effects. Any experience on this?
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true"
issuer="https://localhost/abc"
realm="https://localhost/abc/" requireHttps="true"/>
<cookieHandler requireSsl="true"/>
</federatedAuthentication>
Exception Details: System.InvalidOperationException: ID1059: Cannot authenticate the user because the URL scheme is not https and requireSsl is set to true in the configuration, therefore the authentication cookie will not be sent. Change the URL scheme to https or set requireSsl to false on the cookieHandler element in configuration.
System.IdentityModel.Services.WSFederationAuthenticationModule.OnEndRequest(Object sender, EventArgs args) +726
Upvotes: 7
Views: 13351
Answers (3)
Reputation: 979
We run into the same issue. I think the flag requireSsl in cookieHandler is missused by the WSFederationAuthenticationModule.OnEndRequest. RequireSsl sets in abstract class System.IdentityModel.Services.CookieHandler and System.IdentityModel.Services.ChunkedCookieHandler the secure flag on cookies. If this flag is set to true a client (browser p.a.) is responsible to send the cookie only over a secure connections (https). But in WSFederationAuthenticationModule.OnEndRequest the flag is used to cancel the process if Request.Url is not a https request. This is in SSL offloading scenarios the wrong behavior. One solution is to implement a custom WsFederationAuthenticationModule and override OnEndRequest:
protected override void OnEndRequest(object sender, EventArgs args)
{
var reqSsl = FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl;
//System.IdentityModel.Services.ChunkedCookieHandler
if (reqSsl)
{
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl = false;
try
{
base.OnEndRequest(sender, args);
}
finally
{
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl = reqSsl;
}
}
else
base.OnEndRequest(sender, args);
}
Upvotes: 2
Reputation: 100567
I solved this error in development by changing the web project's setting for SSL Enabled to true. It was somehow set to false and had no SSL URL property value set either.
Upvotes: 2
Reputation: 46720
This is a typical error when you install a load balancer that terminates SSL.
We have a number of sites like this - never found any side-effects.
Just ensure that ADFS traffic goes out and then in because ADFS doesn't allow http endpoints when configuring. It always uses https endpoints when redirecting back to the RP.
Word of warning - ADFS traffic cannot be terminated at the load balancer - it needs https all the way to the ADFS server.
Upvotes: 2
Related Questions
- ADFS login gives error Microsoft.IdentityServer.Web.UnsupportedSamlRequestException
- ADFS SSO SAML Windows Integrated authentication does not work
- System.Net.Http.WinHttpException: A security error occurred
- Website continuously redirects to ADFS
- ADFS in asp.net c#
- How to implement single sign on MVC 2 using ADFS?
- Load balancing with ASP.NET and ADFS
- ADFS 2.0 Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042
- ADFS Authentication in ASP.NET 5 MVC 6
- Authentication with ADFS 2.0