WIF passive federation with custom load balancer in place

StackOverflow https://stackoverflow.com/questions/9824107

  •  25-05-2021
  •  | 
  •  

Question

I'm implementing a simple load balancer - it's an http listener which parses incoming requests from browser and routes them to appropriate ASP.NET application. It listens on a certain port (8801) and when routing it preserves the original URI and changes only port number, e.g. https://machine.domain.com:8801/testsite/Default.aspx could be routed to https://machine.domain.com:8811/testsite/Default.aspx

With no security routing works just fine. The problem emerges when I try to apply WIF federation to the ASP.NET apps. I use ADFS 2.0. Here are two scenarios I tried:

scenario 1

relying party's WS-Federation passive endpoint is set to ASP.NET app URI

When load balancer URI is accessed through browser, load balancer routes to the ASP.NET app and the page gets loaded, however, the RequestSecurityTokenResponse from STS is redirected directly to the ASP.NET app (not the load balancer), according to the passive endpoint set up. So it works but since I want the entire communication towards ASP.NET app to be handled through the load balancer, this scenario doesn't meet my requirement.

scenario 2

relying party's WS-Federation passive endpoint is set to load balancer URI

When load balancer URI is accessed through browser, load balancer routes to the ASP.NET app, which returns Unauthorized response, browser redirects to STS, RequestSecurityTokenResponse is redirected back to the load balancer, but when further routed to the ASP.NET app, I get a response of 401 - Unauthorized: Access is denied due to invalid credentials. That's due to the URI mismatch I believe, as the saml token is issued for load balancer URI. I tried various combinations of audience uris and realms, but no success.

So my question is whether there exists a workaround that would enable load balancer handle all necessary federation communication, as my ASP.NET apps can only be accessed from the load balancer.

I hope I explained my problem clearly enough.

Help much appreciated Thanks

Was it helpful?

Solution

Eventually the problem was somewhere else. What my load balancer actually does is to transform an incoming HttpListenerRequest to a new HttpWebRequest, which is then forwarded to the appropriate ASP.NET app. However, I didn't disable the auto redirect on the forwarded request so there were happening redirections from ASP.NET app to ADFS. This code did the magic:

HttpWebRequest.AllowAutoRedirect = false;

OTHER TIPS

In your relying party application web.config, can you confirm that your federatedAuthentication section looks something like this (the realm below should have your NLB port specified):

<federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="https://mysts.com/v2/wsfederation" realm="https://machine.domain.com:8801/testsite/Default.aspx" requireHttps="false" />
    <cookieHandler requireSsl="false" />
</federatedAuthentication>

Also, another problem you should be aware of is the session cookie. WIF uses DPAPI by default to encrypt it, so you'll have to use RsaEncryptionCookieTransform instead. The same problem problem exists when using WIF in Azure. Here's an article that demonstrates how this is done:

http://msdn.microsoft.com/en-us/library/windowsazure/hh289318.aspx

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top