Error - A SignInResponse message may only redirect within the current web application - MVC 2.0 application

Question

I have a situation where we have a MVC 2 application(I tried this with a basic MVC 2 app without any extra stuff, still same problem) and am using adfs 2 for authenticating my users.

So.. Now I get into my application and I get the below.. ID3206: A SignInResponse message may only redirect within the current web application: '/[app]' is not allowed. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: Microsoft.IdentityModel.Protocols.FederationException: ID3206: A SignInResponse message may only redirect within the current web application: '/[app]' is not allowed.

I have read most blogs on this, and posted to one..

    <federatedAuthentication>             <wsFederation passiveRedirectEnabled="true" issuer="https://auth.[domain]/adfs/ls/" realm="https://[development domain]/[app]/" requireHttps="true" />             <cookieHandler requireSsl="true" />           </federatedAuthentication> <audienceUris>     <add value="https://[development domain]/[app]/" />   </audienceUris> 

1. I have the trailing slash on the realm and audienceUris.
2. I have added what he suggested to Application_BeginRequest – I then copied code to [development domain] as that’s where the certs are.. It just gets stuck in an infinite loop then.
3. I also have checked my Relying Party on the Geneva server.. The Identifiers and Endpoints(POST) are both https://[development domain]/[app]/ - again with the trailing slash

I think it’s a problem with the fact it’s a MVC application, I have created numerous Claims Aware website and got my claims etc on the default.aspx page. My thinking is that the routing that is involved with the MVC app is somehow posting it back wrong?

any help really apprecaited as Im looking at this for quiet a while now to no avail..

J

Answer 1

I've been tearing my hair out on this one. I too have the trailing slash specified in my configuration. Turns out that, in my case, navigating to my app with a trailing slash in the browser like so:

http://localhost/myapp/

will work, whereas

http://localhost/myapp

will not.

If I can dig up some more reasons why this is the case, I will add some more background on why this is happening.

Answer 2

I override the RedirectToIdentityProvider on subclass of WSFederationAuthenticationModule. This happens only once before redirecting to the STS. You have to tell the config file to use this class FixedWSFederationAuthenticationModule instead of the defualt WSFederationAuthenticationModule

public class FixedWSFederationAuthenticationModule : WSFederationAuthenticationModule {     public override void RedirectToIdentityProvider(string uniqueId, string returnUrl, bool persist)     {         //This corrects WIF error ID3206 "A SignInResponse message may only redirect within the current web application:"         //First Check if the request url doesn't end with a "/"         if (!returnUrl.EndsWith("/"))         {             //Compare if Request Url +"/" is equal to the Realm, so only root access is corrected             //https://localhost/AppName plus "/" is equal to https://localhost/AppName/             //This is to avoid MVC urls             if (String.Compare(System.Web.HttpContext.Current.Request.Url.AbsoluteUri + "/", base.Realm, StringComparison.InvariantCultureIgnoreCase) == 0)             {                 //Add the trailing slash                 returnUrl += "/";             }         }         base.RedirectToIdentityProvider(uniqueId, returnUrl, persist);     } }