locked
Reduction of SSO cookie size with dynamic group SID hydration RRS feed

  • Question

  • Hi All,

    Can some one throw some light on Reduction of SSO cookie size with dynamic group SID hydration. How this works there is very limited or no information on net. I need to understand how this can be implemented or is implemented internally if so and how it helps in  Logon..

    Below article only gives a one liner on it..no explanation what soever.

    https://technet.microsoft.com/en-us/library/hh831502.aspx 

    Also have some queries on implementing security in ADFS infra.... I know we can do some stuff with Token replay detection, server hardening etc.

    How can we can make infra more secure from cookies perspective (HTTPOnly) , can we do some tweaks on server end to make sure that All request and responses are HTTPOnly or Secure.


    Need to know more on session management with ADFS and what can be done from ADFS front to make communication secure.

    I believe as we cannot change much on relay parties with respect to cookies as we are not controlling much on them and ADFS redirects the user request to relay parties.

    Thanks All

    Amit Kalia


    Amit Kalia

    Tuesday, January 3, 2017 10:33 AM

Answers

  • The group membership is no longer stored in the WebSSO cookie (the MSISAuth cookie). This is why this one is smaller than in ADFS 2.x. Instead the membership is calculated when the WebSSO cookie is used (presented by the user to obtain a token). Note that at the same time, we also check if the user account still exist and is still enabled. So if you obtain a WebSSO cookie and then the user gets deleted or disabled, you cannot get new token with that cookie.

    All ADFS endpoints for authentications are exposed only via HTTPS.

    Regarding the bootstrap cookies that the application is giving you, it is up to the application. You also have to trust the application not to do stupid things with the cookies :) After all, you create a relying Party Trust :) So you must trust them...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, January 9, 2017 3:11 PM

All replies

  • The group membership is no longer stored in the WebSSO cookie (the MSISAuth cookie). This is why this one is smaller than in ADFS 2.x. Instead the membership is calculated when the WebSSO cookie is used (presented by the user to obtain a token). Note that at the same time, we also check if the user account still exist and is still enabled. So if you obtain a WebSSO cookie and then the user gets deleted or disabled, you cannot get new token with that cookie.

    All ADFS endpoints for authentications are exposed only via HTTPS.

    Regarding the bootstrap cookies that the application is giving you, it is up to the application. You also have to trust the application not to do stupid things with the cookies :) After all, you create a relying Party Trust :) So you must trust them...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, January 9, 2017 3:11 PM
  • Thanks for the reply it helps.

    However Microsoft still has to make more documentation available on SID Hydration..Quoting SID Hyderation helps in cookie reduction does not helps much.


    Amit Kalia

    Thursday, May 25, 2017 11:13 AM
  • What more do you need?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 25, 2017 4:11 PM