0

My question boils down to, can I refresh the user's Claims when I switch between Apps? From what I can tell the answer is most likely "no". I've done the dance to add "claimTypeRequired" but that isn't helpful.

Say I have multiple Applications, App1, App2, App3, App4, App5.

It appears AD FS is not hit again once you're authenticated by any App and there's no way around that short of signing out, yeah? So with that thinking, I have to get all the Claims for all the Apps regardless which App I sign into. As a side note, I'm creating these Claims via a SQL stored procedure from AD FS. usp_GetAppClaims @AppID = 1, @UserGuid = 'GUID'

I store a set of claims for each App in a respective URI, that contains multiple values. Similar to the "Roles" claim. For example:

Am I making this more difficult than it needs to be? I'm slightly worried about Token size if I'm required to have all the Claims. 20 Apps, each with 10-50 Claims... 4kb Cookie max right? Maybe that's irrelevant for the most part.

MisterIsaak
  • 3,882
  • 6
  • 32
  • 55

3 Answers3

1

If you do the claims query in the last "Issuance Transform Rules", then each app always gets its own Claim set.

If you have a chain of Issuers, and the claims come from the first in the chain then I am not aware of any method to differentiate per RP (at the end of the chain). To avoid the huge claim set some people (if possible) do it in the RP with the WIF ClaimsAuthenticationManager.

paullem
  • 1,261
  • 7
  • 8
  • As I keep looking into this, ClaimsAuthenticationManager might end up being the best option. Any chance you get maybe explain a little more about your first point? – MisterIsaak Oct 06 '14 at 12:41
  • If the ADFS server is the IdP (the account is in the AD) then you could query your SQL in Acceptance transform rule. Then the claims for all RP would be in there (large token problems etc.) If you do it only in the (per RP) Issuance Transform rules then each RP has its own set of claims. (Small cookie at ADFS, small cookie at RP.) – paullem Oct 06 '14 at 18:34
  • Ah, okay now I understand what you were talking about. Thanks for the explanation. – MisterIsaak Oct 06 '14 at 21:36
1

Wrt, "Refresh" i.e. the value of Value1 changes between accessing App1 and App2, then no - you have to logout albeit "under the hood".

In terms of large cookies, once upon a time (WIF 3.5) there was "Session Mode" i.e. Switching to WIF SessionMode in ASP.NET.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
0

The issue ended up being two applications using the same cookie. Found out you have to give the cookie a unique name in the web.config or else you won't get redirected back to AD FS when switching between Apps.

MisterIsaak
  • 3,882
  • 6
  • 32
  • 55