Directory Programming .NET

·         Realm Selection, can it be cookie-less?

·         Does ADFS required cookies at all, is there another way to perform the ADFS functions?

These questions were posed by the client. 

 

It is my understanding that ADFS required cookies, but is this a non-negotiable item with ADFS?

 

Does Open ID use cookies?

ADFS requires cookies for sure, although not for realm selection.  The logon token itself is persisted between logons in a cookie.

I don't know if OpenID requires cookies, although I imagine it does.  You'll likely lose some of your strong Windows integration like the NT token agent if you go in that direction though (and thus OWA). 

You can override realm detection with query strings if you like.

What is the big deal with cookies?  The logon cookie is a session cookie, so it won't be rejected by the browser.

The few topics I started were just in response to my con-call I had showing my lab setup to the client.  So I told them I'd pass along some questions.

Even though some don't want cookies at all, it is nice to know that the browser won't reject them.  I tried it and it worked, although IE 7 allows you to block even session cookies as well.  You can't even have .NET session if you turn off session cookies anyway.

Joe, it is my understanding that cookie-less apps can exist in .NET.  However as I understand ADFS, you have to at least accept session cookies because these cookies persist the login credendials between resources.  .NET can have cookie-less because it is on the same web server and uses query-string/URL values to mimmick what the cookie does to store the session ID.  ADFS can't/isn't going to do that for security reasons I would think.

Is my understanding correct?

That is basically right, yes.  For session state, all you need to do is round trip some sort of pointer back to the user's session state information, so that is doable in either a cookie or query string.  However, the ADFS logon token is the actual data and not a pointer to the data, so it is stored in a cookie.  It is actually too big to fit in a query string in many cases, so using a gigantic query string might not work.

If you stored the data server side and just had the client maintain a pointer, you would need some sort of persistence mechanism like session state to store it, and that would require that the application support session state or something similar.  That would be a big demand on the underlying application since session state tends to kill scalability and makes scale out more complicated, so that would be a difficult thing to impose on applications in general.

By setting the token lifetime am I setting the timeout for the users login?  Is that what expires the ADFS session cookie?

Yes, for the most part.  Note that there are multiple different tokens involved, especially in a cross-org sign in, so you might not actually see an expiration event.  For example, if the app times out at 60 minutes but the cookie issued by the FS itself is good for 10 hours, then the FS will just issue the user a new app token good for 60 more minutes.

The timestamp is actually in the cookie data though and does not work off of the expires field on the cookie itself.

Because the way ADFS works it sounds like the longest timeout wins, at least on the side that creates the login token.

That's basically my experience, yes. 

Here's another issue I notice.

I have multiple partners that each have accounts and resources.

I've noticed that when I login to different resources, it is possible to have multiple home realms selected.  Is this just because the realm cookie is specific to each FS-R?

The realm cookie IS specific to each FS-R.  If you look at the set-cookie header for the _LSRealm cookie, you will see that it contains no domain parameter so that means that the browser will only return it to the host that issued it.

That makes sense, I think it will just be confusing for users/organizations to understand why it has to be like that.

Would it be possible to allow the user to select their realm once for all resource groups, or would that cause other problems?

I've heard of organizations setting realm cookies via group policy, but I'm not a GPO guy and don't know how to do this.

Otherwise, there is no way to do this that I know of.  You can use the whr query string to override HRD behavior, but that isn't always practical since you can't always control the URL the user will use.