Monday, January 27, 2014

ADFS2.0 and the maximum number of groups

Another subtle issue with ADFS2.0. This time it turned out that the maximum allowed token size is set rather low to 8192 bytes. This means that ADFS is fixed to issue at most two federation cookies to persist its internal user session.

What if the token should be larger, for example user belongs to many security groups?

Well, ADFS just doesn’t issue its own cookies. As a result, user inputs her correct credentials and instead being redirected to a RP application, the ADFS login page is rendered (as there are no cookies indicating a correct authentication) again. The RP is even not hit at all.

In one of our environments, it turned out that somewhere around 100 security groups was the limit. For users with more groups, the login page is rendered forever, accepting credentials but returing to the very same page.

Fortunately, the limit can be changed. Unfortunately, it is stored in a internal class. To raise the limit, reflection has to be used. Put this in ADFS’s global.asax or even in the static constructor of the login page (FormsSignIn.aspx.cs):

public partial class FormsSignIn : FormsLoginPage
    // Static constructor, added to the existing class
    static FormsSignIn()
            // raise the limit of the internal cookie size 
            Type federationPassiveAuthentication =
                typeof( FormsLoginPage ).Assembly.GetType( 
                    "Microsoft.IdentityServer.Web.FederationPassiveAuthentication" );
            federationPassiveAuthentication.InvokeMember( "SsoMaxSize",
                System.Reflection.BindingFlags.SetProperty |
                System.Reflection.BindingFlags.Public |
                new object [] { 100000u } // new limit
    // The untouched code
    protected void Page_Load( object sender, EventArgs e )
    ... untouched code follows

Looks ugly but works. With this technique, we are able to get ADFS to issue the maximum allowed number of cookies until ultimately the “Request Headers too long” exception is raised by IIS indicating that there are too many cookies to be handled.

(and unfortunately, I was not able to work this around)

In our scenario, this change allows users to have up to 300 security groups.