Cookies used by ADFS

Applies To: Windows Server 2003 R2

Active Directory Federation Services (ADFS) uses the following three types of cookies:

  • Authentication cookie

  • Account partner cookie

  • Sign-out cookie

Authentication cookies can be issued by both the Federation Service and the ADFS Web Agent. The ADFS Web Agent takes the ADFS security token that it receives and uses that token as the cookie value. The benefit at the Web server is that it does not need keying material. The Federation Service publishes all the information that is necessary to validate its tokens.

At the Federation Service, the security token in a cookie holds the organization Claims for the client. The organization claims may be mapped to outgoing claims for a particular resource. The ADFS Web Agent can also authenticate and use cookies that are issued by the Federation Service. The Web server receives a cookie when the client comes to the Web server. Then, the ADFS Web Agent can authenticate this cookie and use the claims that it contains. For more information about how the Federation Service uses tokens, claims, and authentication cookies, see Federation Service.

The authentication cookie facilitates single sign-on (SSO). After the Federation Service validates the client once, the authentication cookie is written to the client. The Federation Service produces and consumes the contents of the authentication cookie, and they are opaque to federation server proxies. Further authentication takes place through use of the cookie rather than through repeated collection of the client credentials. For more information about the federation server proxies, see ADFS server roles.

The following illustration shows the contents of an authentication cookie and the ADFS components that use the authentication cookie. The ADFS Web Agent comprises both the ADFS Web Agent Authentication Service and the ADFS Web Agent ISAPI Extension.

The contents of the authentication cookie

The authentication cookie is always a session cookie. The authentication cookie is signed but not encrypted, which is one reason why use of Transport Layer Security and Secure Sockets Layer (TLS/SSL) in ADFS is mandatory.

The account partner cookie facilitates SSO. After interactive account partner membership discovery occurs, if the account partner cookie has a valid token, the cookie is written to the client. Further interactions use the information in this cookie rather than prompting the client for account partner membership information again. The account partner cookie is set as a result of the account partner discovery process. For more information about account partner discovery, see Federation Service.

The account partner cookie is a long-lived, persistent cookie. It is neither signed nor encrypted.

The sign-out cookie facilitates sign-off. Whenever the Federation Service issues a token, the token’s resource partner or target server is added to the sign-out cookie. When it receives a sign-off request, the Federation Service or Federation Service Proxy sends requests to each of the token target servers asking them to clean up any authentication artifacts, such as cached cookies, that the resource partner or Web server may have written to the client. In the case of a resource partner, it sends a cleanup request to any application Web servers that the client has used.

The sign-out cookie is always a session cookie. It is neither signed nor encrypted.