Decoding FedAuth Token

By | April 4, 2017

This turned out to be tricky topic. I was banging my head against the wall for a few hours and could not get my initial solution working. I was aiming to retrieve the SAML xml that I know is locked inside the FedAuth cookie. Alas I could not get that working but I did manage to get a another solution.

I created a windows forms application that you will be able to download from here.(source included). The application decodes the fedauth base64 string that was extracted in the previous article and then transforms it into a SessionSecurityToken using a certificate that you can select from a list of available certificates.

private SessionSecurityToken decodeToken(string decodedFedAuthCookieXml)
SessionAuthenticationModule m = new SessionAuthenticationModule();
m.FederationConfiguration = new System.IdentityModel.Services.Configuration.FederationConfiguration(false);
m.FederationConfiguration.ServiceCertificate = GetCertificate(cmbCertificates.SelectedItem.ToString());
m.FederationConfiguration.CookieHandler = new ChunkedCookieHandler();

// Specifies the certificate use to decrypt the federation token.
var sessionTransforms = new List(new CookieTransform[]
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(m.FederationConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(m.FederationConfiguration.ServiceCertificate)
var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());

byte[] cookieBytes = Encoding.UTF8.GetBytes(decodedFedAuthCookieXml);
SessionSecurityToken token = m.ReadSessionTokenFromCookie(cookieBytes);

return token;

It then prints out the Identity and claims that are provided within the SessionToken. For security reason I am not displaying the decoded claims.


Category: Troubleshooting Tags: , ,

About Wayne Clifford Barker

I am a husband, father, blogger, gardener, fish keeper and cyclist. In my professional capacity I am the solution architect and technical lead for Assima Core Team. Me and my team are responsible for all the infrastructure and cross cutting concerns of the product; security, diagnostic and auditing. We are also responsible for scaling, deployment, hosting, performance testing and load testing. It is difficult to put me in a box and say “This is what I can do as a person” as technology and requirements change every year, my skills change. In the end I help engineer sustainable business solutions.

7 thoughts on “Decoding FedAuth Token

  1. Pingback: Decoding FedAuth cookies – Wayne Clifford Barkers' Blog

  2. brah

    Your link to the source is broken. Thank you so much for this! Saved me a lot of time.

    1. Wayne Clifford Barker

      Thank you for letting me know. The link has been fixed. 🙂

  3. Vivek

    I am getting MSISAuth token (As against a binary security token in the response) when sending the SAML request for authentication.
    I need FedAuth to call a sharepoint service. How do I retrieve a FedAuth cookie from MSISAuth.

  4. TonyM

    Hi Wayne,

    Unfortunately your link is still broken. Could you fix it please? That tool would be very useful to us.
    Also, how do you know which certificate to use to decode the token?
    Where can we find it?

    thank you in advance.

    1. Wayne Clifford Barker

      Hi Tony, I have mailed you with attachment directly. For some reason it appears as if all my zip files have been removed from my blog although the references remain in the wordpress db. Sorry for the inconvenience.


Leave a Reply

Your email address will not be published. Required fields are marked *