I'm following the FederationForWebApps-VS2008 sample from the Geneva Beta 2 SDK. I'm trying to implement my own STS for an intranet. The STS is hosted in the same web app as the intranet. I have everything working great except for after my user is authenticated and a cookie is saved with the security token, none of my custom claims issued by my STS get saved.

The process goes like this: The user requests a page (http://intranet/secure/index. If the user doesn't have the required claim, a security exception is thrown. The web app catches the security exception and if the user is not authenticated (IsAuthenticated == false), they are redirected to the STS (http://intranet/sts). The STS checks if the user is authenticated and if not redirects them to a login page (http://intranet/login). After authenticated the login page redirects (with all the querystring parameters) back to the STS (http://intranet/sts). The STS issues the claims and redirects back to the requested page (http://intranet/secure/index). The user can now access the page and all the claims on the IClaimsIdentity from my STS are present. If the user refreshes the page, they are denied access because the claims I set in my STS are no longer present on the IClaimsIdentity. I thought the SessionAuthenticationModule is supposed to take care of writing the security token as a cookie with all the claims, but it doesn't appear to be doing that.

I have the SessionAuthenticationModule and WSFederatedAuthenticationModule set up in the web.config. Could someone please shed some light on what I might be doing wrong?

Nevermind I found my answer. You have to set the requireSSL attribute on the cookieHandler element to false in the web.config if you are not using SSL.

Nevermind I found my answer. You have to set the requireSSL attribute on the cookieHandler element to false in the web.config if you are not using SSL.