locked
Updating cookie path in ADFS 3.0 RRS feed

  • Question

  • Hi,

    Couple of ADFS beginner questions:

    1. In ADFS 2.0 I would update the web.confign with the following

    <httpCookies domain="my domain" httpOnlyCookies="false" requireSSL="false"/>

    Since there is no web.config in ADFS 3.0, what is the command that would let me achieve the same as above?

    2. How would I create an AAR( Application Request Routing ) outbound rule in ADFS 3.0?

    Thanks for your help.

    Thursday, June 16, 2016 6:52 PM

All replies

  • Out of curiosity, what is the intent behind those modifications?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 17, 2016 1:18 PM
  • There are some portlets that are running on an intranet portal that need to get data from an intranet social collaboration platform. Both need to be configured for SSO with ADFS. However, we are getting 401 errors in those portlets when trying to access the social collaboration data. Per some blogs, we suspect that this is because the cookies are not flowing back to the portal server from ADFS. The path update lets us specify the domain <httpCookies domain ="my domain" ...> which would let the cookies flow to the relying party ( portal server).

    Friday, June 17, 2016 7:57 PM
  • Hi , still looking for an answer. Searching online does not shed much light. Additional context

    We are trying to set up SSO with IBM WebSphere Portal Server. These are the ADFS 2.0 steps described in there. What we are looking for is how would we achieve same for ADFS 3.0:

    Adding cookie handling to the Active Directory Federation Services (ADFS) server

    The Internet Information Services (IIS) server as a part of the ADFS configuration sets up the ADFS cookies by default on a specific path and a specific host. To use these cookies for single sign-on (SSO) between the portal server and the ADFS server, the cookies need to flow on requests to the portal server as well. The cookie domain and cookie path must be changed.

    Procedure

    • To change the cookie domain, open the web.CONF of the IIS ADFS module and add the following:
      <configuration>
      
      ...
      
      <system.web>
      
      ...
      
      <httpCookies domain=<var class="keyword varname">"your_domain"</var> httpOnlyCookies="false" requireSSL="false" />
      
      ...
    • To change the cookie path, an outboundRule on IIS is needed. To support this outboundRule via the IIS Management console, Application Request Routing (ARR) is needed. This enhancement creates an outboundRule like the following example:
      <rewrite>
      <outboundRules>
      <remove name="ChangeCookiePath" />
      <rule name="ChangeCookiePath">
      <match serverVariable="RESPONSE_Set_Cookie" pattern="^(.*; path=/)adfs/ls" />
      <conditions />
      <action type="Rewrite" value="{R:1}" />
      </rule>
      </outboundRules>
      </rewrite>

    Monday, June 20, 2016 5:26 PM