MisterIsaak
MisterIsaak

Reputation: 3922

Windows Identity Foundation Required Claims From AD FS

My question boils down to, can I refresh the user's Claims when I switch between Apps? From what I can tell the answer is most likely "no". I've done the dance to add "claimTypeRequired" but that isn't helpful.

Say I have multiple Applications, App1, App2, App3, App4, App5.

It appears AD FS is not hit again once you're authenticated by any App and there's no way around that short of signing out, yeah? So with that thinking, I have to get all the Claims for all the Apps regardless which App I sign into. As a side note, I'm creating these Claims via a SQL stored procedure from AD FS. usp_GetAppClaims @AppID = 1, @UserGuid = 'GUID'

I store a set of claims for each App in a respective URI, that contains multiple values. Similar to the "Roles" claim. For example:

Am I making this more difficult than it needs to be? I'm slightly worried about Token size if I'm required to have all the Claims. 20 Apps, each with 10-50 Claims... 4kb Cookie max right? Maybe that's irrelevant for the most part.

Upvotes: 0

Views: 120

Answers (3)

MisterIsaak
MisterIsaak

Reputation: 3922

The issue ended up being two applications using the same cookie. Found out you have to give the cookie a unique name in the web.config or else you won't get redirected back to AD FS when switching between Apps.

Upvotes: 0

rbrayb
rbrayb

Reputation: 46763

Wrt, "Refresh" i.e. the value of Value1 changes between accessing App1 and App2, then no - you have to logout albeit "under the hood".

In terms of large cookies, once upon a time (WIF 3.5) there was "Session Mode" i.e. Switching to WIF SessionMode in ASP.NET.

Upvotes: 1

paullem
paullem

Reputation: 1311

If you do the claims query in the last "Issuance Transform Rules", then each app always gets its own Claim set.

If you have a chain of Issuers, and the claims come from the first in the chain then I am not aware of any method to differentiate per RP (at the end of the chain). To avoid the huge claim set some people (if possible) do it in the RP with the WIF ClaimsAuthenticationManager.

Upvotes: 1

Related Questions