This project has moved and is read-only. For the latest updates, please go here.

HTTP Redirect In WS-Federation

May 9, 2014 at 5:12 PM
I've come across another issue I'm having with the WS-Federation Middleware that goes like this.....

1)Go to Site http://site.com/someplace
2)Site requires authentication so jumps to my sts
3)STS returns back to https://site.com and sets cookie
4)Site redirects to http://site.com/someplace
5)no cookie exists here as http so I jump back to my sts and go around in an infinite loop.

I could fix this by turning off my HTTP binding but I have RequireHTTPS on the entire site which means users missing the https don't get an error. The WS-Federation redirect happens before the HTTPS local redirect. What I'd expect to happen is I'd end up logged on at https://site.com/someplace.

Is there a way to achieve this?
May 9, 2014 at 6:22 PM
The middleware just redirects back to the original page after the sign-in process. You could put in an earlier middleware that redirects all HTTP requests to HTTPS. You could also hook into the WsFed notifications and re-write the redirect URIs.
May 9, 2014 at 9:31 PM
Edited May 9, 2014 at 9:36 PM
Thanks Tratcher, I've added the following notification and it's cleared up the problem although feels a little hacky. Do you know if there is a way to come at it from the other end and make sure the Redirect to https happens before MVC looks at if the user is Authenticated or not.... thus the original page will always be https.

Another issue with not doing the redirect first.... Everytime I hit a http: address I end up having to do a round trip to the sts even if I have a valid cookie as no cookie is sent with the http request.
SecurityTokenValidated = (a) =>
                        {
                            if (a.AuthenticationTicket.Properties.RedirectUri.StartsWith("http://", StringComparison.OrdinalIgnoreCase))
                            {
                                a.AuthenticationTicket.Properties.RedirectUri = a.AuthenticationTicket.Properties.RedirectUri.Replace("http://", "https://");
                            }
                            return Task.FromResult(0);
                        }
May 9, 2014 at 9:45 PM
HAHA - I'm such an idiot.....
Yes there is a way to do the redirect first. Make sure RequireHttpsAttribute is the first thing you add to the GlobalFilterCollection and thus the redirect happens before the Middleware gets involved at all.
Thanks for the help and sorry for wasting time. It was really more of an MVC issue than Katana in the end :-)
Marked as answer by Tratcher on 5/21/2014 at 2:09 PM