Exception while using Custom STS in ProcessSignInResponse – Windows Identity Foundation : A solution

This is just a small post. Last few days I was working on Custom Identity provider. I created a STS site using the Visual studio template “ASP.NET Security Token Service Website” .
I also created the my new website that was actually going to use the above STS as Identity Provider. I added the STS reference to my new website using VS IDE.
Now When I ran my application I was redirected first to Login page of STS that was as expected. I got happy but as soon as I clicked on login, there was an exception. And the exception message was

Unable to evaluate expression because the code is optimized or a native frame is on top of the call stack.”

When I run the code in debug mode I found that there is exception on the line on page  default.aspx.

FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse( responseMessage, Response );

I tried to find some solution and found the solution. I checked and found that it is ThreadAbortException exception and it occurs and it is cause of response.redirect with the endResponse set to true.

But the whole functionality works fine. So to avoid this issue we need to add a line
catch (System.Threading.ThreadAbortException) { } // Thrown by redirect, ignore this

So now the page code will be.

 protected void Page_PreRender( object sender, EventArgs e )
        string action = Request.QueryString[WSFederationConstants.Parameters.Action];

            if ( action == WSFederationConstants.Actions.SignIn )
                // Process signin request.
                SignInRequestMessage requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri( Request.Url );
                if ( User != null && User.Identity != null && User.Identity.IsAuthenticated )
                    SecurityTokenService sts = new CustomSecurityTokenService( CustomSecurityTokenServiceConfiguration.Current );
                    SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest( requestMessage, User, sts );
                    FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse( responseMessage, Response );
                    throw new UnauthorizedAccessException();
            else if ( action == WSFederationConstants.Actions.SignOut )
                // Process signout request.
                SignOutRequestMessage requestMessage = (SignOutRequestMessage)WSFederationMessage.CreateFromUri( Request.Url );
                FederatedPassiveSecurityTokenServiceOperations.ProcessSignOutRequest( requestMessage, User, requestMessage.Reply, Response );
                throw new InvalidOperationException(
                    String.Format( CultureInfo.InvariantCulture,
                                   "The action '{0}' (Request.QueryString['{1}']) is unexpected. Expected actions are: '{2}' or '{3}'.",
                                   String.IsNullOrEmpty(action) ? "" : action,
                                   WSFederationConstants.Actions.SignOut ) );
        catch (System.Threading.ThreadAbortException) { } // Thrown by redirect, ignore this
        catch ( Exception exception )
            throw new Exception( "An unexpected error occurred when processing the request. See inner exception for details.", exception );

I found that it is known issue.

Hope this will help people.




10 thoughts on “Exception while using Custom STS in ProcessSignInResponse – Windows Identity Foundation : A solution

  1. Pingback: Claim based Authentication and WIF : Part 2 « Brij's arena of .NET

  2. Thanks Brij. I got this message when I tried your Part-2 tutorial. I refreshed the page and it worked. Then I searched to see if you have already blogged it and I found this.
    I have just started digging into writing my Custom STS and your blog is very helpful.



  3. You say that if I catch this exception, everything should work fine? It’s not for me. The STS is not redirecting back to the relying party. It is returning HTTP Status code 200 (OK) instead of 302 (Redirect) and I see the SAML token’s XML in my web browser. Has anyone else seen this?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s