How to get SSO on Site B from Site A using WIF and STS Provider

Question

So here is the setup. I have a STS Provider and 2 ASP.NET MVC sites both trusting the same STS provider. User comes to Site A and is redirected to the STS Provider passive login, authenticates properly, and is redirected back to site 'A' as expected. This all works great. I can see the token and identity in code in site 'A' using the following:

IClaimsPrincipal claimsPrincipal = Thread.CurrentPrincipal as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;

Now there is a link on site 'A' to site 'B' that truts the same STS provder. The issue is when I navigate to site 'B', the claim information is not present and the user is not automatically authenticated. According to the STS and WIF documentation the following should occur:

"The flow starts as usual, the user requests a page from B on site A and gets redirected to the STS to obtain a token. However, this time the user is already authenticated with the STS site because there is an active session represented by the STS cookie. This means the request for the STS page leads straight to execution of the SecurityTokenService issuing sequence without showing to the user any UI for credential gathering. The token is issued silently and forwarded to B according to the usual sequence. From the moment the user clicks on the link to B and the browser displays the requested page from B, only some flickering of the address bar in the browser will give away the fact that some authentication took place under the hood. That’s pretty much what Single Sign-on (SSO) means: the user went through the experience of signing in only once, and from that moment on the system is able to gain access to further Reliable Parties without prompting the user for credentials again."

Does anyone know what needs to occur in either the STS Provider, Site A, or Site B explicitly to make this work correctly? Remember the STS and site 'A' are working perfectly; it's just site 'B' is not getting the SSO ability.

Thanks!

Answer 1

Yes - you should get SSO.

Using ADFS terms, I assume you FedUtil'd both A and B with the STS and configured both A and B on the STS as Relying Parties with essentially the same configuration? I assume you've compared both A and B web.config?

Clear out all your cookies - I find FireFox does this best.

Navigate directly to B. What happens?

• STS login screen?
• FBA login screen?
• Nothing - just goes straight to B?

If STS login screen, what happens when you authenticate and then navigate to A?

If nothing, is the landing page on B protected?