Reputation: 305
ADFS authentication on multiple browser windows
I’m developing an MVC5 application that’s been configured to use ADFS as Identity Provider with the web app acting as a Relying Party. The app is behaving differently on IE9 and Chrome as far as authentication is concerned.
When I run the app on IE9 for the first time and go to a page that requires the user to be authenticated, IE asks me to authenticate as expected. But when I launch a new IE9 window and navigate to the same page, IE asks me to authenticate again which is not expected as it should know I am already logged in. However this does not happen on Chrome, i.e. the second instance of Chrome knows I am already logged in.
Similarly, on IE9 when I log out of the application on one instance the other instance thinks I am still logged in, whereas when I run two instances of Chrome and I log out on one, the other knows I’m logged out.
How can I get IE9 to behave the same as Chrome? Is this some configuration issue on ADFS or do I need more server side code in the application to ensure IE9 behaves properly?
Many thanks in advance
Upvotes: 1
Views: 1741
Answers (1)
Reputation: 823
Its not AD FS. Its the IE browser config that needs investigating. I suggest taking fiddler traces when you repro this using two IE windows.
I assume you are referring to AD FS 2.x or on 2012 R2. When AD FS authenticates the user, it writes MSISAuth cookies if the credentials are valid. WIF apps consume tokens from AD FS and write FedAuth cookies.
When the 2nd browser window accesses the app, if it doesn't receive a FedAuth cookie, it will kick off the flow to request auth by redirecting to AD FS. If AD FS doesn't receive the MSISAuth cookies, it will cause the client to auth again.
Sounds like the 2nd browser window is not using the same cookie store and is thus unaware of the FedAuth and MSISAuth cookies.
I suspect this is whats happening here. I assume you are testing from a PC running IE and Chrome. You don't mention much about browser OS/config so I don't know whether these are terminal server published apps from a farm (with multiple browser instances across terminal servers in farm) or simple browser installs on a PC.
There are other reasons why another prompt for creds happen. You can configure AD FS to force fresh auth again by disabling SSO or configuring the RP related auth policy to insist fresh auth. But given the chrome behaviour I don't think that's it.
We need to review fiddler traces and browser config to answer more specifically.
If you need to get to the bottom of this urgently and quicker than forum responses are received, please raise a case with Microsoft.
Upvotes: 1
Related Questions
- IdentityServer4 - Login via ADFS without logon prompt appearing
- How to integrate Single Sign-On with multiple ADFS?
- ADFS in asp.net c#
- Single Sign-On ASP Identity Securing Multiple applications
- Custom authentication with ADFS(Not multifactor)
- .NET MVC5 w/ ADFS and Windows Authentication
- Login to ADFS without prompting for credentials
- Single sign on with ADFS
- Authentication with ADFS 2.0
- ASP.NET multiple federated identity providers