Skip to content

Beware setting properties or registering events on the SAM and FAM

February 10, 2013

In WIF some settings or behaviors that you’d want for your application can’t be set in config. Instead these settings or behaviors need to be invoked by either setting properties or handling events on the SAM (SessionAuthenticationModule) or FAM (WSFederationAuthenticationModule). One example is enabling server-side caching of session tokens. This is done by setting the IsReferenceMode property on the SAM:

var sam = FederatedAuthentication.SessionAuthenticationModule;
sam.IsReferenceMode = true;

It seems like you’d simply want to set this globally at application start-up in Application_Start in global.asax, but unfortunately that’s not the right way to do this. The problem with this approach (and this design in WIF) is that in ASP.NET many instances of http modules are created — one for each thread processing http requests in the thread pool. This means we need to set any properties or register for any events per-instance. This then raises the question — where can we do this?

Fortunately in ASP.NET, the Init virtual method is invoked on the application class (meaning, the code you write in global.asax) each time the HttpApplication is created with all of its associated http modules. Here’s the correct place to put the code from above:

protected void Application_Start()

public override void Init()
    var sam = FederatedAuthentication.SessionAuthenticationModule;
    sam.IsReferenceMode = true;


6 Comments leave one →
  1. David Peden permalink
    February 11, 2013 1:35 pm

    Hey Brock,

    Microsoft actually recommends not setting that property at all:

    To operate in reference mode, Microsoft recommends providing a handler for the WSFederationAuthenticationModule.SessionSecurityTokenCreated event in the global.asax.cs file and setting the SessionSecurityToken.IsReferenceMode property on the token passed in the SessionSecurityTokenCreatedEventArgs.SessionToken property. This will ensure that the session token operates in reference mode for every request and is favored over merely setting the SessionAuthenticationModule.IsReferenceMode property on the Session Authentication Module.


    • February 11, 2013 2:04 pm

      Sure, but 1) the point of the post was to remind people that these properties or events can’t just be handled in App_Start, and 2) The SAM’s IsReferenceMode is used to assign the default IsReferenceMode on the SessionSecurityToken, so it’s six and one, IMO.

    • February 11, 2013 2:19 pm

      The more that I think about it, I’m willing to wager a frosty beer that the reason for the recommended approach in the docs is due to this exact ASP.NET plumbing issue and WIF’s unfortunate use of properties on the modules to configure their behaviors.

      • David Peden permalink
        February 11, 2013 2:45 pm

        I agree with you and wouldn’t take that bet. ;)

  2. Piotr permalink
    February 27, 2014 1:09 pm

    are comments disabled or is my comment too long?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: