none
ADFS 2016 - SAML token replay detection and ADFS authentication cookie

    Question

  • Am I right that ADFS uses cookies for authentication for not logging in every time?

    How does the SAML token replay detection work when this authentication cookies is used?

    Is there an newer documentation then the Understanding Cookies in ADFS for 2008 R2 ?

    Since 2012 Web Agent feature isn't available, maybe also other things were changed.

    • Edited by 1.FreddyD Friday, November 10, 2017 6:56 AM
    Thursday, November 09, 2017 8:02 AM

All replies

  • Token Replay Detection is not based on cookies but on token.

    When a user arrives with a token obtained from a Claim Provider Trust different than AD, we will log something in the database and if we see the same token coming later, we'll block the access. If you do not have any other trust than Active Directory in your Claim Provider Trust list, this feature does not do anything for you.

    With ADFS 2016 and IF the user-agent (aka the browser) supports it, the MSISAuth cookie (aka the WebSSO cookie) will be bound to the machine. But that's something else, nothing to do with token replay detection.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, November 11, 2017 12:45 AM
    Owner