Making Ajax play with Passive ADFS 2.1 (and 2.0) – JSONP & Pre-Authentication

The first post, described the issue of using ADFS and Ajax to create SSO between a WebApp and a WebAPI.
This solution looks at using JSONP and pre-authentication to achieve SSO between sites on different domains.

Solution Overview

We add a html page (or handler) to the WebAPI solution.
Whenever we make a call to the WebAPI we first load the html page in an iFrame, this iFrame call handles all the ADFS redirects and sets the session cookies for the WebAPI.
These session cookies are then sent (automatically) with the next JSONP call to the server.


  • Like all the solutions, this expects that the user has authenticated with ADFS via the WebAPP. When the iFrame hits the WebAPI pre-auth html page and the request gets redirected to ADFS if the user already has a session (that is compatible with the WebAPI relying party) a token will be issued without further authentication.
//Requires Jquery 1.9+
var hasPreAuthenticated = false;
var webAPIHtmlPage = "http://webapi.somedomain/preauth.html"
function preauthenticate() {
//ADFS breaks Ajax requests, so we pre-authenticate the first call using an iFRAME and "authentication" page to get the cookies set
return $.Deferred(function (d) {
if (hasPreAuthenticated) {
console.log("Already pre-authenticated, skipping");
//Potentially could make this into a little popup layer
//that shows we are authenticating, and allows for re-authentication if needed
var iFrame = $("<iframe></iframe>");
iFrame.attr('src', webAPIHtmlPage);
iFrame.load(function () {
hasPreAuthenticated = true;
function makeCall(){
return authenticate().then(function () {
var options = //JSONP ajaxOptions
return $.ajax(options)
view raw gistfile1.js hosted with ❤ by GitHub

7 Replies to “Making Ajax play with Passive ADFS 2.1 (and 2.0) – JSONP & Pre-Authentication”

  1. Is there some particular content in preauth.html? For some reason the file I created doesn’t even require authentication so doesn’t do anything for the issue. If I just open up a browser and use the url to the preauth.html file I don’t even get prompted for credentials.

    1. But why aren’t .html files being protected? Shouldn’t they be? Is there some configuration option that changes this?

      Actually, I tried this with a preauth.aspx and I see it getting authenticated but looking at the results of my ajax call in fiddler I still see “Script is disabled. Click Submit to continue”.

  2. I figured out the main issue. Putting the preauthentication in an iFrame didn’t work, I had to put it in a new (small) window. This may be something in later versions of browsers perhaps? I’ve been seeing those little windows pop up various places where I have authenticated sites communicating back and forth and I suppose this might be why.

  3. Hmmmm. The issue with this solution (which is the first that I have made to work) is that you have to disable the X-Frame-Options header on you ADFS instance. Or, in other words, people might present you sign-in screen within an iframe and log all your keystrokes.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s