id-initiated websso and the WIF pipeline. Using it for multi-tenant webapps supported by a multi-tenant IDP


Assume the FAM has fired SessionSecurityTokenCreated with result that a user is now viewing the protected resources.



Should one invoke idp-initiated websso to session, such that a new bearer token is delivered … alongside the SAM cookie,  will only SessionSecurityTokenReceive be fired.

My thought is, in the context of the webapp being multi-tenant (and the inbound SAML assertion identifies the tenant), that the received event might look for the token (canreadsigninresponse). If so, it might delete its session and redirect to the inbound request – thus invoking the FAM’s AuthenticateRequest event handler.

Now, if one has two IE tabs open – each on a different web app tenant-  the first tab would lose its session. What we would now want is to capture the RedirectingToIdentityProvider event, fired in order to recover the session (by requesting a new bearer assertion). We would want to redirect to THAT IDP originally used – remembering that it may have been an idp-initiated interaction. Furthermore, we would want to amend the ws-fedp request so that the response from the IDP would land on the corrent webapp tenant



Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in SSO. Bookmark the permalink.