I am using Owin to configure my ASP.NET MVC 5 (.NET 4.5, IIS 7/8) application to authenticate against a third-party ADFS setup:
app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
});
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
Wtrealm = Settings.Auth.Wtrealm,
MetadataAddress = Settings.Auth.MetadataAddress
});
I also have a custom authentication filter (used in conjunction with AuthorizeAttribute
):
public class OwinAuthenticationAttribute : ActionFilterAttribute, IAuthenticationFilter
{
public void OnAuthentication(AuthenticationContext filterContext)
{
var user = filterContext.RequestContext.HttpContext.User;
var authenticated = user.Identity.IsAuthenticated;
if (!authenticated)
{
return;
}
/* Redirect to profile setup if not already complete */
}
public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
{
}
}
This works fine half of the time but sometimes, on initial login, a redirect loop will occur between the app and the ADFS login. This seems to be session-specific (does not occur for all users at once) and once the redirect loop occurs it seems to continue occurring until an application pool refresh.
When the redirect loop occurs, I can still see (in Chrome's Network tab) what looks like a valid token being issued by ADFS.
I'm having a hard time isolating the root cause but what I have found is that - when the loop does not occur, user.Identity
is of type ClaimsIdentity
and IsAuthenticated
is true
. When it does occur, IsAuthenticated
is false
but user.Identity
is of type WindowsIdentity
.
All forms of authentication in IIS - except Anonymous - are disabled. IIS Express is not in use anywhere.
What could be causing this?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…