1

We are using the ITfoxtec.Identity.Saml2 library to authenticate with our SSO service.

The problem is we are using this on a load balanced servers. If we turn sticky sessions off, the application no longer functions.

I've tried setting isPersistent= true when we create the session but it has had no affect. I've seen similar issues posted related to storing SAML state across a web farm with suggestions ranging from:

Changing the configuration so all servers on the webfarm use the same machine key Creating what amounts to a state service to store authentication.

I would think there would be a way to natively store user state in a cookie that would be reusable regardless if load balancing is being used or not.

Any suggestions on how to attack this?

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
Dean Erling
  • 21
  • 1
  • 2

1 Answers1

0

Using ITfoxtec.Identity.Saml2.Mvc and ASP.NET MVC the isPersitent is a parameter on the CreateSession method. The CreateSession method used in the ASP.NET sample application.

The method is called after the SAML 2.0 response is accepted to create the user identity cookie handled by the SessionAuthenticationModule.

Default the user identity cookies is not persistent. Setting the isPersitent=true result in creating persistent user identity cookies. The isPersitent setting has nothing to do with load balancing.

It should be possible to support load balancing by setting the isReferenceMode=true. Reference mode change the user identity cookies from being self contained to being a pointer.

In reference mode, a simple artifact is produced during serialization and the token material is stored in the token cache that is associated with the token handler. The token cache is an instance of a class that derives from SessionSecurityTokenCache. For Web Farm scenarios, the token cache must operate across all nodes in the farm.

Maybe you need to implement a token cache.

Updated:

I am sorry to say that I do not have an example. I have instead added some links that may be can be help full.

WIF and Web Farms

About SessionAuthenticationModule IsReferenceMode

SessionSecurityTokenCache Class

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • I tried setting isPersitent=true but it still failed when load balancing on our web app You mentioned implementing a token cache. What I fail to see though is how I can force the your library to look in the cache. Do you have sample code that implements a state service. Once the session is created, it does not appear when I step through our implementation that the authentication process repeats. When we call CreateSession, we create store the Principal in the HTTPContext.User object. It doesn't appear once this session is created we have to re-authenticate – Dean Erling Mar 05 '19 at 20:58
  • (continued) We host our web app in Azure Service Fabric. When we change the load balancing rule to not have sticky sessions, the application appears to remain authenticated, in that it does not take us back to our SSO screen, but what I think is happening, is the app remains authenticated but perhaps we are losing claims or some other important part of the SAML token. I've tried to force the application to use the previously created User Principal by retrieving it from the session cache but that has failed. – Dean Erling Mar 05 '19 at 21:06
  • (continued) How can I force the SAML session to persist/retrieve the SAML Session into/from a persisted state service? – Dean Erling Mar 05 '19 at 21:15