The default behaviour for ADFS is to force SSL on every request. I believe this is a good idea since being able to eavesdrop on tokens being issued is a bad thing.
However, I have one minor problem with how Microsoft implemented this behaviour.
When ADFS is installed a new application is created in IIS and the SSL Settings are configured to require SSL:
This will effectively return 403 errors to any requests that are not over SSL.
In theory this is fine.
My problem is more of a user experience issue. Since a lot of traffic to ADFS is via redirects and linking from 3rd party sites, there’s a good chance someone is going to make a typo and not use HTTPS.
What I want to do is be a little more forgiving and allow certain requests through, BUT redirect the request to SSL.
While I can’t speak for Microsoft, I believe they didn’t do what I’m about to do because it’s hard to draw the line at what sort of requests to redirect. Basic GET requests are pretty straightforward, but what about POST’s? How do you handle that?
Simply put, I’m only going to redirect GET requests.
First thing I’m going to do is open Visual Studio and create a new class library and create a new class. It will inherit from IHttpModule. You will have to add a reference to the System.Web assembly.
The class only has three methods:
public class ForceSslModule : IHttpModule
{
public void Dispose() { }
public void Init(HttpApplication app)
{
app.BeginRequest += new EventHandler(app_BeginRequest);
}
protected void app_BeginRequest(object sender, EventArgs e)
{
HttpApplication app = (HttpApplication)sender;
HttpRequest request = app.Request;
if (request.IsSecureConnection)
{
return;
}
if (!request.HttpMethod.ToLowerInvariant().Equals("get"))
{
throw new HttpException(403, "Only HTTP GET requests can be redirected to HTTPS");
}
string requestUri = request.Url.AbsoluteUri;
app.Response.Redirect(requestUri.Replace("http://", "https://"), true);
}
}
The work is done in app_BeginRequest. It looks for non-SSL GET requests and redirects them to the same URL, except using SSL.
The next step is to compile the project, and add it to the adfs/ls/bin/ folder.
Then the web.config needs to be updated. A module needs to be added to the system.webServer section:
<system.webServer>
<modules>
<add name="ForceSslGet" type="ObjectSharp.Security.Web.ForceSslModule, ObjectSharp.Security.Web, Version=1.0.0.0, Culture=neutral, PublicKeyToken=30761a08d0a18fd4" />
</modules>
</system.webServer>
The last thing that needs to be done is update IIS to not require SSL. Just uncheck the box in SSL Settings in the ls application.
