Authorize and RequireHttps attributes in MVC with claims and ADFS/WIF

Christian Nesmark

Do you struggle with this error? ID1059: Cannot authenticate (...)? We're here to help. But be warned, facepalms might occur.

Update 2013-09-08

After a while, I still had errors, even with the attributes in the correct order in my code. So what was the issue? Well, for MVC, there is a built-in way to ensure the order of filter attributes. Set the Order property to a value greater that -1 (which is the default, and makes the filters run in arbitrary order).

[RequireHttps(Order = 0)] 
[Authorize(Roles = "Admins", Order = 1)]

 

Your problem

You have an ASP.NET MVC project. You are supposed to authenticate users with ADFS, and restrict certain controllers so that only authenticated users can access it. So you decorate your controller class with the following attributes.

[Authorize(Roles = "Admins")] 
[RequireHttps]

Now, you get this error.

ID1059: Cannot authenticate the user because the URL scheme is not https and requireSsl is set to true in the configuration, therefore the authentication cookie will not be sent. Change the URL scheme to https or set requireSsl to false on the cookieHandler element in configuration.

[InvalidOperationException: ID1059: Cannot authenticate (...)]
System.IdentityModel.Services.WSFederationAuthenticationModule.OnEndRequest(Object sender, EventArgs args) +124524
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

You should have done this.

[RequireHttps] 
[Authorize(Roles = "Admins")]

See the difference? The order of attributes is important - you need to ensure an SSL connection before authentication tokens are sent over the wire. Manually, that is.

Facepalm allowed.