Cookies used by ADFS
Updated: August 22, 2005
Applies To: Windows Server 2003 R2
Active Directory Federation Services (ADFS) uses the following three types of cookies:
Account partner cookie
Authentication cookies can be issued by both the Federation Service and the ADFS Web Agent. The ADFS Web Agent takes the ADFS security token that it receives and uses that token as the cookie value. The benefit at the Web server is that it does not need keying material. The Federation Service publishes all the information that is necessary to validate its tokens.
The authentication cookie facilitates single sign-on (SSO). After the Federation Service validates the client once, the authentication cookie is written to the client. The Federation Service produces and consumes the contents of the authentication cookie, and they are opaque to federation server proxies. Further authentication takes place through use of the cookie rather than through repeated collection of the client credentials. For more information about the federation server proxies, see ADFS server roles.
The following illustration shows the contents of an authentication cookie and the ADFS components that use the authentication cookie. The ADFS Web Agent comprises both the ADFS Web Agent Authentication Service and the ADFS Web Agent ISAPI Extension.
The authentication cookie is always a session cookie. The authentication cookie is signed but not encrypted, which is one reason why use of Transport Layer Security and Secure Sockets Layer (TLS/SSL) in ADFS is mandatory.
Account partner cookie
The account partner cookie facilitates SSO. After interactive account partner membership discovery occurs, if the account partner cookie has a valid token, the cookie is written to the client. Further interactions use the information in this cookie rather than prompting the client for account partner membership information again. The account partner cookie is set as a result of the account partner discovery process. For more information about account partner discovery, see Federation Service.
The account partner cookie is a long-lived, persistent cookie. It is neither signed nor encrypted.
The sign-out cookie facilitates sign-off. Whenever the Federation Service issues a token, the token’s resource partner or target server is added to the sign-out cookie. When it receives a sign-off request, the Federation Service or Federation Service Proxy sends requests to each of the token target servers asking them to clean up any authentication artifacts, such as cached cookies, that the resource partner or Web server may have written to the client. In the case of a resource partner, it sends a cleanup request to any application Web servers that the client has used.
The sign-out cookie is always a session cookie. It is neither signed nor encrypted.