The first post, described the issue of using ADFS and Ajax to create SSO between a WebApp and a WebAPI.
This solution looks at the easiest solution, Piggy-Backing.
The central idea with Piggy-Backing is that the WebApp authenticates in the usual redirecty ADFS way and has the session cookies set.
The WebAPI then uses the same session cookie, thus not needing to ever authenticate with ADFS directly.
- The two applications must be able to share cookies (same root domain)
- If the WebAPI attempts to authenticate with ADFS it will error; it will error as the AJAX calls will break as per the problem description, it will also break because the redirect url after authentication will be to the WebApp not the WebAPI.
Setting up this solution is easy. Just configure the WebApp as you normally would for ADFS and then use the same config for the WebApi project i.e. set the realm to be the same as the WebApp realm.
You will also need to set the CookieHandler section of web.config to match.
If you are using subdomains webapp.contoso.com and webapi.contoso.com then your cookiehandler will look this in both applications web.config
<cookieHandler requireSsl="true" domain=".contoso.com" />
Different Ports or Virtual Directories
If you are using virtual directories or differing ports such as contoso.com/webapp and contoso.com:8000/webapi then your cookiehandler will look this in both applications web.config
<cookieHandler requireSsl="true" path="/" />
A note on Web Farms and Microsoft Dynamics Crm 2011
If you are using load-balancing and/or MS CRM see this article. You need to implement step #3 as well to enable piggy-backing. The session cookie encryption method is changed to be more farm friendly.