As part of the login process, once the token has been received and accepted, the WSFederationAuthenticationModule
calls the SessionAuthenticationModule
s WriteSessionTokenToCookie
method:
public void WriteSessionTokenToCookie(SessionSecurityToken sessionToken)
{
//Error checking omitted
byte[] buffer = handler.WriteToken(sessionToken);
SessionSecurityTokenCacheKey key = new SessionSecurityTokenCacheKey(this.CookieHandler.Path, sessionToken.ContextId, sessionToken.KeyGeneration);
DateTime expiryTime = DateTimeUtil.Add(sessionToken.ValidTo, base.FederationConfiguration.IdentityConfiguration.MaxClockSkew);
handler.Configuration.Caches.SessionSecurityTokenCache.AddOrUpdate(key, sessionToken, expiryTime);
this.CookieHandler.Write(buffer, sessionToken.IsPersistent, sessionToken.ValidTo);
}
Which as you can see is writing some form of the token, suitably serialized, as cookie(s). Exactly what is included in this depends on some options - for instance, SaveBootstrapContext
may affect exactly what is stored. If this option is turned on then, yes, I believe the SAML token is stored in the cookie.
So, what cookie is stored? That depends on what this.CookieHandler
is doing. By default, this is the ChunkedCookieHandler
which ultimately (again, by default) will split the binary blob that the above method call passes it into multiple smaller blobs, and store those in a series of cookies of the form FedAuth1
, FedAuth2
, etc.
is there a configuration in the standard ADFS setup for .NET web applications on the IIS to allow switching to ASPXAUTH once the initial token is validated
Not so far as I'm aware.