Understanding Cookies Used by AD FS

Applies To: Windows Server 2008, Windows Server 2008 R2

Active Directory Federation Services (AD FS) uses the following three types of cookies:

• Authentication cookies

• Account partner cookies

• Sign-out cookies

Authentication cookies

Both the Federation Service and the AD FS Web Agent can issue authentication cookies. The AD FS Web Agent takes the AD FS security token that it receives and uses that token as the cookie value. The benefit for the AD FS-enabled Web server is that it does not have to be configured with a public/private key pair that can sign and verify its own cookies. The Federation Service publishes all the information that is necessary to validate its tokens.

At the Federation Service, the security token in a cookie holds the organization claims for the client. The organization claims may be mapped to outgoing claims for a particular resource. The AD FS Web Agent can also authenticate and use cookies that are issued by the Federation Service. The AD FS-enabled Web server receives a cookie when the client comes to the AD FS-enabled Web server. Then, the AD FS Web Agent can authenticate this cookie and use the claims that it contains. For more information about how the Federation Service uses tokens, claims, and authentication cookies, see Understanding the Federation Service Role Service.

The authentication cookie facilitates single sign-on (SSO). After the Federation Service validates the client once, the authentication cookie is written to the client. The Federation Service produces and consumes the contents of the authentication cookie, and these contents are not read by the federation server proxies. Further authentication takes place through the cookie rather than through repeated collection of the client credentials. For more information about federation server proxies, see Understanding the Federation Service Proxy Role Service.

The following illustration shows the contents of an authentication cookie and the AD FS role services that use the authentication cookie. The AD FS Web Agent comprises both the AD FS Web Agent Authentication Service and the AD FS Windows Token-Based Agent Extension.

The authentication cookie is always a session cookie. The authentication cookie is signed but not encrypted, which is one reason why the use of Transport Layer Security and Secure Sockets Layer (TLS/SSL) in AD FS is mandatory.

Account partner cookies

The account partner cookie facilitates SSO. After interactive account partner membership discovery occurs, if the account partner cookie has a valid token, the cookie is written to the client. Further interactions use the information in this cookie rather than prompting the client for account partner membership information again. The account partner cookie is set as a result of the account partner discovery process. For more information about account partner discovery, see Understanding the Federation Service Role Service.

The account partner cookie is a long-lived, persistent cookie. It is neither signed nor encrypted.

Sign-out cookies

The sign-out cookie facilitates sign-off. Whenever the Federation Service issues a token, the token’s resource partner or target server is added to the sign-out cookie. When it receives a sign-off request, the Federation Service or Federation Service Proxy sends requests to each of the token target servers asking them to clean up any authentication artifacts, such as cached cookies, that the resource partner or AD FS-enabled Web server may have written to the client. In the case of a resource partner, it sends a cleanup request to any AD FS-enabled Web servers that the client has used.

The sign-out cookie is always a session cookie. It is neither signed nor encrypted.