Federated Security: How handle session timeout



We have a setup with Federated Security with OWIN towards ADFS.
If the browser session get a timeout and the edit performs any editing activity EPiServer tries to re authenticate towards ADFS via AJAX.
Then we get the following error in the browser console:

"No 'Access-Control-Allow-Origin' header is present on the requested resource."

Does any one know how to add this CORS header?


Erik Jonsson 

Apr 26, 2016 9:15

Thanks for the tip!

I have tried but not succeded, but will try again when I have time to dig some more.


May 03, 2016 17:16

Hey, Erik!

Check out this blogpost, it might be helpful:


I don't get any issues with authentication though.



May 09, 2016 9:47

Thanks Marija,

I have not had time too look at this yet but hopefully I will soon.


May 16, 2016 8:13

Has anyone solved this issue yet? Is it a flaw in episerver or am I doing something wrong?

My thoughts:
The problem is probably not CORS. Even if support for CORS is added the initial AJAX request will get a redirect to the ADFS server trying to reauthenticate the user. The redirect returns html when the initial AJAX request is waiting for it's json result. This produces an error and the user will not be reauthenticated. Only way to be reauthenticated in edit mode is to press a button that is not using AJAX or reload the page. I'm not an expert in federated security but since episerver has an example of how to use federated security with OWIN one would think that this wouldn't be an issue. 


Aug 19, 2016 11:03

I am also having this problem.

Anyone solved it?

Nov 01, 2017 8:08

Following this thread, also having the problem.


Dec 13, 2017 11:35

When talking Episerver native support for Federated Security it is always by using OWIN middleware.

ADFS is a product of which multiple versions exist. If you are using an older one it's probably easiest to get it running with Epi using the WS-Federation specification and the OWIN package Microsoft.Owin.Security.WsFederation. WS-Federation is more relaxed than OIDC security wise and it is possible to "replay" login flows and get impersonation support in an application. This can't be done with OIDC.

ADFS 2016 has support OpenID Connect (OIDC). OIDC is a more modern and more secure specification and with Epi you would use Microsoft.Owin.Security.OpenIdConnect. It should be noted that this package isn't fully OIDC compliant and only support form_post response mode and id_token validation. You can't easily use a hybrid flow with just "code" and backchannel or query mode instead of form_post. It's unclear if this will be introduced in an update but all things mentioned are in place for .NET Core 2.0 without any external packages needed so I guess that's where MS focused their efforts.

OIDC has standardized ways of handling expiry. Silent renewal or token refresh depening on if you're on the front or backend. You can also also check session and do a full signin flow in an iframe given that the Content Security Policies on the ADFS view response allows it.

Dec 14, 2017 8:50

If anyone stumbles upon this, here's an update.

Have a look at https://github.com/IdentityServer/IdentityServer3/issues/2424#issuecomment-172508910

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    UseTokenLifetime = false,

Also, the episerver code sample to implement openid connect doesn't play nice with invalidated sessions and the ajax calls in edit-mode, which would suggest you add a statement to the OWIN-middleware to handle ajax calls properly return a 401 instead of 302 redirect to the identityserver.



Notifications = new OpenIdConnectAuthenticationNotifications

    RedirectToIdentityProvider = context =>

        if (context.OwinContext.Response.StatusCode == 401 && context.Request.Headers["X-Requested-With"] == "XMLHttpRequest")

        return Task.FromResult(0);

Jan 15, 2018 9:57

We released a fix in CMS UI 11.1.1 that will take you to the logout/relogin screen. Since the authentication can be on another domain that way was the only way to ensure multiple redirects would work properly.

Jan 18, 2018 13:13

Strange,  i was still getting that error in CMS.UI.11.2.0 when the identityserver is on another domain. However, changing the Startup.cs as previously explained works to properly trigger the reauthentication popup.

Jan 18, 2018 13:26

Yes you need to change Startup.cs. I see we haven't updated the docs for this yet so we'll just have to do that cool

Jan 19, 2018 16:41
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.