Tuesday, August 14, 2012 8:20 AM
We have a public ADFS with two claims providers: itself (AD) and an internal ADFS (via ADFS proxy). Home Realm Discovery is automated based on the client's IP address. Normally, this works as expected, but there is one situation where the MSISIPSelectionPersistent cookie isn't set as expected.
There are situations when the automatic HRD makes the wrong decision and directs the user to the wrong ADFS for logon. To handle these situations, the logon pages has cross links so that a user explicitly can click on a link to get to the correct ADFS logon in case the automagic failed.
Both links reference the public ADFS ".../adfs/ls/?wa=wsignin1.0&..." with the same parameters except for the whr parameter. The link to the internal (proxy) ADFS has the ID of the Claims Provider as whr parameter while the link to the public ADFS has the ID of the public ADFS itself as whr parameter.
Both links work as expected and the user ends up on the correct logon page after clicking a link. Now to the problem:
If the user - on the public ADFS logon page - click on the link to get to the internal ADFS logon page, the MSISIPSelectionPersistent cookie is immediately set to reference the claims provder ID for the internal ADFS and the user is redirected to the internal ADFS. If the user changes his mind and click the link to get back to the external ADFS, the user is redirected to the correct logon page but the MSISIPSelectionPersistent cookie is not changed. Even after a successful logon to the external ADFS, the MSISIPSelectionPersistent cookie still references the internal ADFS.
I cannot see any ADFS log entries that are directly related to this situation.
Why is the MSISIPSelectionPersistent cookie set when the whr parameter references the claims provider ID for the internal ADFS but not when the ADFS ID for the public ADFS is referenced? What can I do to correct this?
Monday, August 27, 2012 8:08 AMAnyone?
Monday, September 03, 2012 5:34 PM
If HRD is automated using the IP address then can you not turn off persistence in the web.config?
<persistIdentityProviderInformation enabled="false" />
- Proposed As Answer by Mylo Friday, September 28, 2012 9:23 AM