ADFS - ID1059: Cannot authenticate the user because the URL scheme is not https and requireSsl is set to true

Hari Narisetty picture Hari Narisetty · Jan 7, 2014 · Viewed 11.2k times · Source

We have a website hosted and configured to use ADFS 2.0 for SSO. When I browse the web site via https, I am getting the below error.

I think the reason is that the load balancer is hitting the web server with http. If I change the below entry in the web.config it may fix, but not sure about the side effects. Any experience on this?

 <federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" 
            issuer="https://localhost/abc" 
            realm="https://localhost/abc/" requireHttps="true"/>
    <cookieHandler requireSsl="true"/>
</federatedAuthentication> 

Exception Details: System.InvalidOperationException: ID1059: Cannot authenticate the user because the URL scheme is not https and requireSsl is set to true in the configuration, therefore the authentication cookie will not be sent. Change the URL scheme to https or set requireSsl to false on the cookieHandler element in configuration.

System.IdentityModel.Services.WSFederationAuthenticationModule.OnEndRequest(Object sender, EventArgs args) +726

Answer

rbrayb picture rbrayb · Jan 7, 2014

This is a typical error when you install a load balancer that terminates SSL.

We have a number of sites like this - never found any side-effects.

Just ensure that ADFS traffic goes out and then in because ADFS doesn't allow http endpoints when configuring. It always uses https endpoints when redirecting back to the RP.

Word of warning - ADFS traffic cannot be terminated at the load balancer - it needs https all the way to the ADFS server.