Reputation: 3922
Windows Identity Foundation Required Claims From AD FS
My question boils down to, can I refresh the user's Claims when I switch between Apps? From what I can tell the answer is most likely "no". I've done the dance to add "claimTypeRequired" but that isn't helpful.
Say I have multiple Applications, App1, App2, App3, App4, App5.
It appears AD FS is not hit again once you're authenticated by any App and there's no way around that short of signing out, yeah? So with that thinking, I have to get all the Claims for all the Apps regardless which App I sign into. As a side note, I'm creating these Claims via a SQL stored procedure from AD FS. usp_GetAppClaims @AppID = 1, @UserGuid = 'GUID'
I store a set of claims for each App in a respective URI, that contains multiple values. Similar to the "Roles" claim. For example:
- http://schemas.MyCompany.com/identity/claims/App1
-- Value1
-- Value2 - http://schemas.MyCompany.com/identity/claims/App2
-- Value1
-- Value2
-- Value3 - http://schemas.MyCompany.com/identity/claims/App3
- http://schemas.MyCompany.com/identity/claims/App4
- http://schemas.MyCompany.com/identity/claims/App5
Am I making this more difficult than it needs to be? I'm slightly worried about Token size if I'm required to have all the Claims. 20 Apps, each with 10-50 Claims... 4kb Cookie max right? Maybe that's irrelevant for the most part.
Upvotes: 0
Views: 120
Answers (3)
Reputation: 3922
The issue ended up being two applications using the same cookie. Found out you have to give the cookie a unique name in the web.config or else you won't get redirected back to AD FS when switching between Apps.
Upvotes: 0
Reputation: 46763
Wrt, "Refresh" i.e. the value of Value1 changes between accessing App1 and App2, then no - you have to logout albeit "under the hood".
In terms of large cookies, once upon a time (WIF 3.5) there was "Session Mode" i.e. Switching to WIF SessionMode in ASP.NET.
Upvotes: 1
Reputation: 1311
If you do the claims query in the last "Issuance Transform Rules", then each app always gets its own Claim set.
If you have a chain of Issuers, and the claims come from the first in the chain then I am not aware of any method to differentiate per RP (at the end of the chain). To avoid the huge claim set some people (if possible) do it in the RP with the WIF ClaimsAuthenticationManager.
Upvotes: 1
Related Questions
- Configuration of claims provider for application group or relying party
- Configure ADFS to become a identity provider in Thinktecture IdentityServer 2.0
- IdentityServer and ADFS
- Claims Based Authentication - SharePoint and generally
- ASP.NET Added Claims are Missing
- ADFS - Issuance Authorization Ruleset error
- Usage of Identity Server with ADFS
- Non-claims-enabled ASP.NET applications and ADFS v2.0
- Windows Identity Foundation and multiple user stores
- Windows Identity Foundation in SharePoint 2007