thinktecture identityserver 2 - bouncing between app and IdP

Question

We have 3 applications deployed on the same server. 1 of the applications works as expected, allows us to identify against the thinktecture identityserver 2, without issue. The other 2 applications have the following pattern:

Go to the application URl
Since you are not logged in you are redirected to the IdP as expected
You log into the IdP and are issued an IdP cookie
You are taken back to the application
The application decides that you aren't logged in, and sends you back to the IdP
The IdP decides that you are logged in and sends you back to the application
Repeat steps 5 and 6 infinitely

We are using SAML 2.0.

Snippet from web.config of working app:

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="WSHttpBinding_IArmDAL" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="1262144" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
      <readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
      <security mode="Message">
        <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
        <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<client>
  <endpoint address="http://localhost:81/ArmDAL.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IArmDAL" contract="ArmDALService.IArmDAL" name="WSHttpBinding_IArmDAL">
    <identity>
      <dns value="localhost" />
    </identity>
  </endpoint>
</client>
</system.serviceModel>
<system.identityModel>
<identityConfiguration>
  <tokenReplayDetection enabled="true" />
  <audienceUris>
    <add value="https://Z.com/" />

  </audienceUris>
  <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
    <authority name="http://idp.com/IdentityServer">
      <keys>
        <add thumbprint="FD2BA696B57FD24D597034D4EC308D010D506C9A" />
      </keys>
      <validIssuers>
        <add name="http://idp.com/IdentityServer" />
      </validIssuers>
    </authority>
  </issuerNameRegistry>
  <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
  <securityTokenHandlers>
    <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </securityTokenHandlers>
  <certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
  <cookieHandler requireSsl="false" />
  <wsFederation passiveRedirectEnabled="true" issuer="https://idp-alpha.com/issue/wsfed" realm="https://z.com/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>

Snippet from web.config of not working app

<system.identityModel>
 <identityConfiguration>
  <tokenReplayDetection enabled="true" />
  <audienceUris>
    <add value="https://X.com/" />

  </audienceUris>
  <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
    <authority name="http://IdP.com/IdentityServer">
      <keys>
        <add thumbprint="FD2BA696B57FD24D597034D4EC308D010D506C9A" />
      </keys>
      <validIssuers>
        <add name="http://IdP.com/IdentityServer" />
      </validIssuers>
    </authority>
  </issuerNameRegistry>
  <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
  <securityTokenHandlers>
    <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </securityTokenHandlers>
  <certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
  <cookieHandler requireSsl="false" />
  <wsFederation passiveRedirectEnabled="true" issuer="https://idp-alphacom/issue/wsfed" realm="https://X.com/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>

score 0 · Answer 1 · answered Jul 04 '14 at 18:46

0

Are you trapping errors in the Relying Party ? If you are getting Token Replay detection you can turn it off

<tokenReplayDetection enabled="false" />

answered Jul 04 '14 at 18:46

Mark A Jones

181
1
3

thinktecture identityserver 2 - bouncing between app and IdP

1 Answers1