Try our conversational search powered by Generative AI!

WsFederation redirects to default login page and not to MetadataAddress



I am trying to set up a federated login scheme against AD in CMS12, .NET Core 8 using cookies, but I it redirects to the default yellow/white login screen /Util/Login?ReturnUrl=%2F both locally and on integration environment instead of redirecting to MetadataAddress. Before we ran OWIN but, now we are upgrading to latest CMS 12.

What I have done:

  • I set the start page controller to [Authorize] to trigger the login
  • Configuration defined in Startup.cs in ConfigureServices
  • services.AddAuthentication is configurated 
    • sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    • sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; 
    • sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
  • AddWsFederation has defined MetadataAddress and Wtrealm (checked in debug that they are correct values) and OnSecurityTokenValidated for processing the returned security token
  • AddCookie is defined with Cookie.Name, expiry and a few things to be done before login
  • In Configure section I have app.UseAuthentication(); and app.UseAuthorization();

In appsettings:

      "EPiServer": {
        "Login": {
          "Wtrealm": "https://our.address",
          "MetadataAddress": "https://our.address/federationmetadata/2007-06/federationmetadata.xml"

Has anyone had this behavior before? I am thinking I missed something easy :S

/ Tony

Apr 15, 2024 8:17

Hi Tony

I think the reason you get redirect to /Util/login is you're not authenticating with `WsFederation` scheme. Two possible fixes

  1. Add scheme to `[Authorize]` attribute OR
  2. Remove Optimizely identity `.AddCmsAspNetIdentity<ApplicationUser>()`
Edited, Apr 15, 2024 13:11

Hi Tony,

In order to replace built-in local login with Azure AD follow official documentation: Integrate Azure AD using OpenID Connect (

I don't have an expirenece with WS-Federation but this article describes how to add it in .Net Core project: Authenticate users with WS-Federation in ASP.NET Core | Microsoft Learn

Be sure to also follow Vincent 2nd point and at the end you must manually synchronize user roles with Optimizely using: await synchronizingUserService.SynchronizeAsync(claimsIdentity);

Apr 19, 2024 10:30

Thanks. Well I got configuration from IT services now and I was directed to use SAML2 instead, so I am devicing a configuration for that, but that page contains some new info.

Apr 19, 2024 11:24

I switched to SAML2 instead, and moved the configuration to progam.cs instead of startup.cs. For some to me unknown reason the same configuration refused to work under startup.cs, but worked fine in program.cs. Maybe a timing issue.

/ Tony

Apr 30, 2024 5:28
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.