Julian Steenkamp Julian Steenkamp - 5 months ago 125
ASP.NET (C#) Question

WsFederation Authentication login loop

I am experiencing a problem with a login loop when using

WsFederation Authentication
in my MVC web application. I used visual studio to create the scaffolding of the web application and to setup the
in the
. Which generates the following block of code:

public class Startup
private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

public void Configuration(IAppBuilder app)

app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
Wtrealm = realm,
MetadataAddress = adfsMetadata

The web application is hosted in Azure and the ADFS is on premises.

On some clients, when a login attempt is made the login page goes into a loop requesting a new tokens causing the following exception on the ADFS Server:

Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '7' seconds. Contact your administrator for details.

I have read many articles on StackOverflow and looked at the various examples provided by the guys who wrote IdentityServer and I have tried the various configuration options and I cannot isolate the problem to a specific area.

From what I read it is a general problem with the OWIN middle ware loosing context of the object and as a result the token gets "lost".

I have attempted to implement some of the sample code that other have provided on StackOverflow but, I cannot seem to find a solution the resolves my problem or maybe a have not implemented the code correctly.

Any Ideas?


The cause of the problem was the request and response URLs where not the same. I.e. When a user entered the website URL and did not prefix it with HTTPS the redirect loop would occur.

The cause was hidden because the user is immediately redirected to ADFS if they are not authenticated or authorized.

All I had to do was to ensure that all user requests are redirected back to the HTTPS URL and that the HTTP binding is removed.(Either or would have worked just fine)

This is the code I used to ensure that all requests are redirect to https.

        <rule name="Redirect to https">
          <match url="(.*)"/>
            <add input="{HTTPS}" pattern="Off"/>
            <add input="{REQUEST_METHOD}" pattern="^get$|^head$" />
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>

I hope this post was helpful.