locked
How to Set & Read Cookies (Server Side) in ADFS Custom Authentication Method RRS feed

  • Question

  • We are building our own ADFS Custome Authentication (Multi-Factor) Method following this: https://msdn.microsoft.com/en-us/library/dn783423.aspx
    It's working fine.

    In our project we need to set and read a single cookie from the ADFS Server side. (i.e. we don't want to use client side scripting.)

    All the links and code we have found for cookies are in the .net web applications realm and use ttpContext.Current object that is populated by the asp.net worker process and that worker process works only with asp.net web applications.
    In our case we have class library type project and we don't have HttpContext.Current object, that contains the incoming requests and outgoing responses.

    So we need to find out different way to set and read cookie server side other than using the HttpContext object, or we need to find a way to invoke or use HttpContext object from our ADFS.

    Clearly ADFS is setting all kinds of cookies, so it can be done somehow.
    Any help would be appreciated.

    Here are examples of what we have tried:
    Code sample using HttpListenerRequest - TryEndAuthentication

     public IAdapterPresentation TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, out Claim[] outgoingClaims)
            {
                outgoingClaims = new Claim[0];

                Cookie cookie = new Cookie();
                cookie.Name = "aPCookie";
                cookie.Value = "testValue12344";
                cookie.Path = "/adfs";
                cookie.Secure = true;
                cookie.HttpOnly = true;
                cookie.Expires = DateTime.Now.AddYears(2);
                request.Cookies.Add(cookie);
                
                 //authn complete - return authn method
                outgoingClaims = new[]
                {
     // Return the required authentication method claim, indicating the particulate authentication method used.
     new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
     "http://example.com/myauthenticationmethod1")
     };

                return null;
            }
            
    Code sample using HttpContext:

    public IAdapterPresentation TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, out Claim[] outgoingClaims)
            {
                outgoingClaims = new Claim[0];

                if (HttpContext.Current == null)
                {
                    HttpRequest httpRequest = new HttpRequest("", string.Format("{0}://{1}", request.Url?.Scheme, request.Url?.Authority), "");
                    HttpContext.Current = new HttpContext(httpRequest, new HttpResponse(new StringWriter()));                
                }

                HttpCookie cookie = new HttpCookie("aPCookie", "testValue12344");
                cookie.Path = "/adfs";
                cookie.Expires = DateTime.Now.AddYears(2);
                cookie.Secure = true;
                cookie.HttpOnly = true;
                HttpContext.Current.Response.Cookies.Add(new HttpCookie("testC", "Mpcookie"));
                
                 //authn complete - return authn method
                outgoingClaims = new[]
                {
     // Return the required authentication method claim, indicating the particulate authentication method used.
     new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
     "http://example.com/myauthenticationmethod1")
     };

                return null;
            }


    • Edited by amfa_guru Thursday, July 19, 2018 11:16 AM
    Thursday, July 19, 2018 10:37 AM

Answers

  • In the end we just wrote our cookies using unsecure JavaScript, then added our own IIS web service (via Invisible iframe) that writes out a secure cookie that is hashed and linked to the unsecure cookie.

    Once we did this, we were all set. Now our unsecure cookie is worthless without the secure cookie.

    The secure cookie is written out in the same domain.

    Marking this answer as solved by me.

    • Marked as answer by amfa_guru Thursday, February 7, 2019 4:15 PM
    Thursday, February 7, 2019 4:15 PM

All replies

  • After a number of discussions with MSFT, I can now understand why no one has responded to this question. In the latest version of ADFS, it is not possible for 3rd parties developing MFA adapters for HDFS to create cookies server side.

    MSFT pulled the methods to create server side cookies in order to gain some additional security.

    I believe there is actually a way to still do this, but I need to have some follow-up conversations with MSFT.

    Saturday, October 6, 2018 11:07 PM
  • In the end we just wrote our cookies using unsecure JavaScript, then added our own IIS web service (via Invisible iframe) that writes out a secure cookie that is hashed and linked to the unsecure cookie.

    Once we did this, we were all set. Now our unsecure cookie is worthless without the secure cookie.

    The secure cookie is written out in the same domain.

    Marking this answer as solved by me.

    • Marked as answer by amfa_guru Thursday, February 7, 2019 4:15 PM
    Thursday, February 7, 2019 4:15 PM