Windows Identity Foundation : A SignInResponse message may only redirect within the current web application

We have run into an issue in the WSFederationAuthenticationModule class within WIF.

The bug has been posted here on Microsoft connect.
http://connect.microsoft.com/site642/feedback/details/573589/wsfederationauthenticationelement-web-config-requires-trailing-slash-after-home-realm-otherwise-an-error-occurs

Basically the issue comes when the application requesting authentication from your STS sends a redirection url without a trailing slash. The slash cannot always be guaranteed as the return URI is created from the accessed application URI. Therefore if a user bookmarks the wrong URI or a link doesn't have the trailing slash you will get the above exception message.

In trying to fix this problem I had a look through the WSFederationAuthenticationModule's public event listings. None of the events that we could see occurred before the offending code in OnAuthenticateRequest().

The workaround listed on Microsoft Connect was quite bad as it forced us to check every single request in each RP to ensure that the trailing slash was in the URI, and if not redirect back to itself with the trailing slash.

I came up with a simpler solution to the problem which only needs a change to the STS itself. Since we couldn't get into a public event before the offending code we added a HttpModule to the pipeline and ensured it ran before the WS modules.

This custom http module simply checked the 'ru' return URI field (within the wctx entry in the query string) for a trailing slash and if none was provided redirected back to itself with the trailing slash in the 'ru' field.

I've updated the Microsoft Connect website for the new work around.

comments powered by Disqus