Home/ Questions/Q 6707069
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T07:35:42+00:00

I’ve had to replace the session token handler with the following, due to a

  • 0

I’ve had to replace the session token handler with the following, due to a requirement of running my site on load balancers.

public class WebFarmSessionSecurityTokenHandler : SessionSecurityTokenHandler
{
    public WebFarmSessionSecurityTokenHandler(X509Certificate2 protectionCertificate)
        : base(CreateRsaTransforms(protectionCertificate))
    { }

    private static ReadOnlyCollection<CookieTransform> CreateRsaTransforms
      (X509Certificate2 protectionCertificate)
    {
        var transforms = new List<CookieTransform>() 
                        { 
                            new DeflateCookieTransform(), 
                            new RsaEncryptionCookieTransform(protectionCertificate),
                            new RsaSignatureCookieTransform(protectionCertificate),
                        };

        return transforms.AsReadOnly();
    }
}

I then amended the web.config as follows.

<microsoft.identityModel>
  <service>
...
    <securityTokenHandlers>
      <clear />
      <add type="MyAssembly.WebFarmSessionSecurityTokenHandler, MyAssembly"/>
    </securityTokenHandlers>
...
  </service>
</microsoft.identityModel>

My hope after doing this was that my relying party would function no matter what node it was accessing or what box initiated the authenication.

I’m currently getting the following : A SecurityTokenHandler is not registered to read security token.

Any ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    void onServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
        {
            List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] 
            { 
                new DeflateCookieTransform(), 
                new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
                new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)
            });

            SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
            e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
        }

    The above needs to be placed inside the global.asax file. With the following event hooked up in the application start.

    FederatedAuthentication.ServiceConfigurationCreated += onServiceConfigurationCreated;

    I no longer required the WebFarmSessionSecurityTokenHandler or the config changes to slot it in.

    • 0