Authenticated, but external login provider is still visible for selection

Sep 17, 2014 at 1:24 PM
Edited Sep 19, 2014 at 7:07 AM

For some reason I get 'user not found' error and my external provider is still visible. I also notice a very long cookie. Should those cookies be deleted after authentication? Also table [AspNetUserLogins] is empty. I believe I have seen it filled once.

(I believe it has to do with claims exchange between my provider and Owin)

Sep 17, 2014 at 4:37 PM
None of these cookies are set by Katana. Are you sure you're not using WIF?
Sep 19, 2014 at 7:06 AM
I have next cookies. I guess the prefix is who creates them:

OWIN: __RequestVerificationToken
My MiddleWare: __myProviderState
My MiddleWare: FedAuth1
MVC/ OWIN? :.AspNet.ApplicationCookie
MVC/ OWIN? :.AspNet.ExternalCookie

Is it correct OWIN sets those three cookies?

My Middleware calls:
    var transformedPrincipal = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager.Authenticate(null, principal);
            var sessionSecurityToken = lifetime.HasValue ? new SessionSecurityToken(transformedPrincipal, lifetime.Value) : new SessionSecurityToken(transformedPrincipal);
            sessionSecurityToken.IsReferenceMode = isReferenceMode;
            sessionSecurityToken.IsPersistent = isPersistent;
            FederatedAuthentication.SessionAuthenticationModule.AuthenticateSessionSecurityToken(sessionSecurityToken, true);
            return transformedPrincipal;
 public class Saml2ResponseSecurityTokenHandler : Saml2SecurityTokenHandler
        public static Saml2ResponseSecurityTokenHandler GetSaml2SecurityTokenHandler()
            var handler = new Saml2ResponseSecurityTokenHandler();
            var identityConfiguration = FederatedAuthentication.FederationConfiguration.IdentityConfiguration;
            handler.Configuration = new SecurityTokenHandlerConfiguration
                SaveBootstrapContext = identityConfiguration.SaveBootstrapContext,
                AudienceRestriction = identityConfiguration.AudienceRestriction,
                IssuerNameRegistry = new Saml2ResponseIssuerNameRegistry(),
                CertificateValidationMode = identityConfiguration.CertificateValidationMode,
                RevocationMode = identityConfiguration.RevocationMode,                

            handler.SamlSecurityTokenRequirement.NameClaimType = ClaimTypes.NameIdentifier;
            return handler;
Where FederatedAuthentication.FederationConfiguration.IdentityConfiguration is from System.IdentityModel.Services.

Should I use Microsoft.Owin.Security.WsFederation instead?
Sep 19, 2014 at 2:06 PM
__RequestVerificationToken looks like it comes from MVC. .AspNet.ExternalCookie and .AspNet.ApplicationCookie come from Katana. It was FedAuth1 and __myProviderState that had me confused.

Yes, try using the Microsoft.Owin.Security.WsFederation package instead of System.IdentityModel.Services. There's no point in re-inventing it.
Oct 27, 2014 at 10:27 AM
Edited Oct 27, 2014 at 10:27 AM
Hi Tratcher,

Thank you. However, I have SAML2-Protocol integrated in my own OWIN middleware. The WsFederation does not.

For some reason my middleware does not create claims. I only see next claims without the once I added from the IdP I authenticated on: c840bc4e-49fa-41c2-976e-2545e0434020 LOCAL AUTHORITY LOCAL AUTHORITY LOCAL AUTHORITY LOCAL AUTHORITY ASP.NET Identity LOCAL AUTHORITY LOCAL AUTHORITY 
AspNet.Identity.SecurityStamp a77013fb-e66f-4e1c-be00-411b99813459 LOCAL AUTHORITY LOCAL AUTHORITY 
Once I call: "FederatedAuthentication.FederationConfiguration. IdentityConfiguration.ClaimsAuthenticationManager.Authenticate(null, principal);" I see my IdP claims as well. Unfortunately, I have next two issues: 1) I have multiple claims for ClaimTypes.NameIdentifier and thus the 'Antiforgery' starts throwing exceptions., 2) I have a bunch of cookies.

I believe I do something wrong since in the samples like Microsoft, Facebook, etc. I do not see such call to have the claims added. I only see it uses httpclient, which I cannot use since I need to redirect the user who has to apply his X509 certificate and a password.

Basically all I want is to authenticate to a certain IdP. On success I want to add my own claim so in my application logic I can reveal sensitive information.

Your help and guidance is very much appreciated.