Skip to content

Token Replay Detection

January 2, 2015

Token Replay Detection is used to protect applications against replay of the issued tokens by Identity Provider Security Token Service. Active Directory Federation Services (AD FS) provides this capability when it is installed with SQL as its configuration store database. If AD FS is installed with Windows Integrated Database (WID) then this capability is not provided. When implementing AD FS services, it is common question to ask, should it be installed with WID or with full SQL back end. SQL back end provides other benefits besides token replay detection, so it should be evaluated for its full capabilities, not just token replay detection, but if you are wondering if you should use SQL while installing AD FS for token replay detection, you should fully understand in what type of federation topologies this capability is actually will be used.

The following couple diagrams are showing when token replay detection actually used and SQL back end should be used with AD FS implementation. Open them to see all the details.



  1. Yann permalink

    I’ve read some of your articles regarding federation with WAAD so maybe you already solved the issue I’m facing: is it possible to use a custom STS (or ADFS) with WAAD as IdP with Office365? In your samples, you use WAAD as IdP and ADFS as RP but a classical Claims App, never Office365.
    I use Thinktecture IdentityServer as a custom STS and it works fine while I’m using ADFS as Identity Provider. I would like to do the same using WAAD directly instead of ADFS. As I’ve set the authentication to Federated for my domain in Office365 (using Set-MsolDomainAuthentication), each time I try to authenticate into O365, I’m first redirected to my custom STS then to Azure which is OK. But then, I’m redirected back to my custom STS because of federation. It seems that O365 and WAAD are strongly linked. Is this scenario possible using a specific endpoint or a different configuration to avoid this last redirection so that WAAD really authenticates the user using Cloud identity before sending back the auth token to IdentyServer?


    • O365 uses WAAD as its identity store. when you are authenticated to WAAD – direct or via federation, you should have access to O365.


  2. Yann permalink

    Mmm, I’m not sure to understand. If I connect directly to Azure after having used Set-MsolDomainAuthentication, I’m redirected to my custom STS too, like O365. So, I’ve no way to authenticate in WAAD. I’ve tried to use Whr property of WS-Fed message with no success, I always get ERR_TOO_MANY_REDIRECTS as there is an infinite loop between my custom STS and WAAD, each expecting from the other the authentication token… Is it possible to set the Federated authentication for O365 but not for WAAD for the same domain?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: