问题
I have an application that authenticates against ADFS 2 via WS-Federation. I look for a specific claim when I get the response back from ADFS and based on that claim, I am able to authorize the user into my application. I want to create an enhancement in which when a user authenticates against ADFS and comes back to my application WITHOUT the claim I require, that I redirect them back to the Identity Provider (ADFS), but this time FORCING them to provide their credentials again. I wrote my code to detect an authenticated user that is missing the claim I require and sends them back to reauthenticate, this time sending along the "Freshness" parameter (wfresh=0). I was under the impression that this would prompt the user for credentials but it seems to just reuse the original credentials which, of course, causes an infinate loop (that ADFS halts.) How can I achieve this?
My URL looks like this when I send them back to the IdP after not having the required claim:
https://somedomain.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=https%3a%2f%2fanotherdomain.com%2flogin.ashx&wreply=https%3a%2f%2fanotherdomain%2flogin.ashx&wctx=1106273&wfresh=0
回答1:
wfresh on integrated does not make sense. You are always signed into AD and cannot signout. The story is probably different for forms based authentication. But haven't tried that in ADFS.
回答2:
I suspect the default for wfresh is zero.
Have you tried it without wfresh?
Also, you could logout - AD FS: How to Invoke a WS-Federation Sign-Out.
来源:https://stackoverflow.com/questions/17223809/wfresh-not-working-with-ws-federation-via-adfs