ADFS - ID1059: Cannot authenticate the user because the URL scheme is not https and requireSsl is set to true
Solution 1
This is a typical error when you install a load balancer that terminates SSL.
We have a number of sites like this - never found any side-effects.
Just ensure that ADFS traffic goes out and then in because ADFS doesn't allow http endpoints when configuring. It always uses https endpoints when redirecting back to the RP.
Word of warning - ADFS traffic cannot be terminated at the load balancer - it needs https all the way to the ADFS server.
Solution 2
I solved this error in development by changing the web project's setting for SSL Enabled to true. It was somehow set to false and had no SSL URL property value set either.
Solution 3
We run into the same issue. I think the flag requireSsl in cookieHandler is missused by the WSFederationAuthenticationModule.OnEndRequest. RequireSsl sets in abstract class System.IdentityModel.Services.CookieHandler and System.IdentityModel.Services.ChunkedCookieHandler the secure flag on cookies. If this flag is set to true a client (browser p.a.) is responsible to send the cookie only over a secure connections (https). But in WSFederationAuthenticationModule.OnEndRequest the flag is used to cancel the process if Request.Url is not a https request. This is in SSL offloading scenarios the wrong behavior. One solution is to implement a custom WsFederationAuthenticationModule and override OnEndRequest:
protected override void OnEndRequest(object sender, EventArgs args)
{
var reqSsl = FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl;
//System.IdentityModel.Services.ChunkedCookieHandler
if (reqSsl)
{
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl = false;
try
{
base.OnEndRequest(sender, args);
}
finally
{
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl = reqSsl;
}
}
else
base.OnEndRequest(sender, args);
}
Hari Narisetty
I am a Microsoft Certified Technology Specialist and Senior Consultant with over 15 years of IT experience. Expertise includes architecting N-tier applications using Microsoft.NET Technologies, Object Oriented Analysis and Design, SOA, SaaS, and UML. He performed roles of Technical Architect, Onsite Coordinator, Technical Leader, and Developer. He has worked on Web, Windows and Smart client applications using ASP.NET MVC 4, JQuery, KnockoutJs, AJAX, Silverlight 5.0, WPF, Web Services, WCF, and ADO.NET Entity Framework technologies on Income tax, Healthcare, Finance, Insurance, and E-commerce, K12 Education domains. Mr. Hari is experienced in implementing continuous Integration using TFS, MS Build and web deploy. Excellent interpersonal, collaboration, and problem-solving skills; known for versatility, outperforming expectations under pressure/time constraints
Updated on July 09, 2022Comments
-
Hari Narisetty almost 2 years
We have a website hosted and configured to use ADFS 2.0 for SSO. When I browse the web site via https, I am getting the below error.
I think the reason is that the load balancer is hitting the web server with http. If I change the below entry in the web.config it may fix, but not sure about the side effects. Any experience on this?
<federatedAuthentication> <wsFederation passiveRedirectEnabled="true" issuer="https://localhost/abc" realm="https://localhost/abc/" requireHttps="true"/> <cookieHandler requireSsl="true"/> </federatedAuthentication>Exception Details: System.InvalidOperationException: ID1059: Cannot authenticate the user because the URL scheme is not https and requireSsl is set to true in the configuration, therefore the authentication cookie will not be sent. Change the URL scheme to https or set requireSsl to false on the cookieHandler element in configuration.
System.IdentityModel.Services.WSFederationAuthenticationModule.OnEndRequest(Object sender, EventArgs args) +726