Decoding FedAuth Token

By | April 4, 2017

This turned out to be tricky topic. I was banging my head against the wall for a few hours and could not get my initial solution working. I was aiming to retrieve the SAML xml that I know is locked inside the FedAuth cookie. Alas I could not get that working but I did manage to get a another solution. 

I created a windows forms application that you will be able to download from here.(source included). The application decodes the fedauth base64 string that was extracted in the previous article and then transforms it into a SessionSecurityToken using a certificate that you can select from a list of available certificates.

private SessionSecurityToken decodeToken(string decodedFedAuthCookieXml)
SessionAuthenticationModule m = new SessionAuthenticationModule();
m.FederationConfiguration = new System.IdentityModel.Services.Configuration.FederationConfiguration(false);
m.FederationConfiguration.ServiceCertificate = GetCertificate(cmbCertificates.SelectedItem.ToString());
m.FederationConfiguration.CookieHandler = new ChunkedCookieHandler();

// Specifies the certificate use to decrypt the federation token.
var sessionTransforms = new List(new CookieTransform[]
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(m.FederationConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(m.FederationConfiguration.ServiceCertificate)
var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());

byte[] cookieBytes = Encoding.UTF8.GetBytes(decodedFedAuthCookieXml);
SessionSecurityToken token = m.ReadSessionTokenFromCookie(cookieBytes);

return token;

It then prints out the Identity and claims that are provided within the SessionToken. For security reason I am not displaying the decoded claims.


Category: Troubleshooting Tags: , ,

About Wayne Clifford Barker

I am a husband, father, blogger, gardener, fish keeper and cyclist. In my professional capacity I am the solution architect and technical lead for Assima Core Team. Me and my team are responsible for all the infrastructure and cross cutting concerns of the product; security, diagnostic and auditing. We are also responsible for scaling, deployment, hosting, performance testing and load testing. It is difficult to put me in a box and say “This is what I can do as a person” as technology and requirements change every year, my skills change. In the end I help engineer sustainable business solutions.

3 thoughts on “Decoding FedAuth Token

  1. Pingback: Decoding FedAuth cookies – Wayne Clifford Barkers' Blog

  2. brah

    Your link to the source is broken. Thank you so much for this! Saved me a lot of time.

    1. Wayne Clifford Barker

      Thank you for letting me know. The link has been fixed. 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *