We have an ASP.NET MVC application with passive redirect disabled. When a user hits a URL that requires being logged in, we send the user to ADFS, where he/she can choose between Windows Authentication or a third party identity provider we do business with. We wanted to have ADFS send us back to a specific URL, specfied in wreply, but found out that ADFS ignores this parameter. That is not our problem however: it seems we are getting two responses from ADFS, a POST (with the token) and a GET. What's more, depending on the browser (Chrome, IE10, Safari on iPad), the order in which we receive the request in the ASP.NET MVC application differs. Which means that if the GET precedes the POST, the user is not authenticated, otherwise the user is authenticated (in which case we can deal with the two responses, even though they are annoying). We've also seen that with Windows Authentication the order may vary for a single browser.
Two questions:
- Is there an explanation for this behavior?
- Can we ditch the GET response somehow?
Kind regards,
Michiel