We have a client who is asking us to secure a section of their Sitecore 8.0 site using federated authentication. They are hosting the site one one server and their authentication system is housed somewhere else in their back-end. Here is the code they gave me to implement the authentication:
Startup.Auth.cs public partial class Startup { private static string realm = System.Configuration.ConfigurationManager.AppSettings["ida:Wtrealm"]; private static string adfsMetadata = System.Configuration.ConfigurationManager.AppSettings["ida:ADFSMetadata"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata
});
}
}
Then, it was to be as simple as adding the [Authorize] attribute to the controller action. For this particular controller action, there is a [HttpGet] action and an [HttpPost] action.
When I visit the secured page, I get redirected to their ADFS system correctly. I can then enter credentials and upon entering correct credentials, I am redirected back to my secure page, however, the following error is thrown:
A potentially dangerous Request.Form value was detected from the client (wresult=t:RequestSecurityTo...).
I know that I'm successfully being logged in because I can browse away and visit another page or close the browser completely and it doesn't redirect me back to the login page again, it just brings me back to the secured page with that error.
I've tried disabling input validation both on the get action and the post action, I've tried removing all the content from those actions and simply returning a string instead of an ActionResult so that I could make sure nothing on the page was causing anything weird.
I believe that the ADFS sign-in page is causing the problem because it looks like when you visit the sign in page, after a successful login, the page posts back to the secured page you were trying to access, likely including some HTML or JS in the headers and causing the validation error. On subsequent visits to my secured page, since I'm already logged in, I can see the page redirects to the ADFS page briefly (probably to test that I'm still logged in) and then bounces me back to my secured page.
I've also tried running Wireshark and Fiddler to try and see what's coming across in the headers but I can't seem to get anything useful out of those tools (especially Wireshark, I couldn't figure out how to get the header info out of it and no HTTP requests (post or get) were happening to my secured page that I could see.
Are there any other things I can try to troubleshoot this? Why is ValidateInput(false) not being respected on my controller action? I would think at minimum, it would at least let me get to my page.
Lastly, I'll say that I've read this and added the requestValidationMode to my site, but now their ADFS is down, so I can't verify if that did anything until that's back up.
