Single signout not tracking all consuming applications? #197

Closed
andrasnemes opened this Issue Apr 29, 2013 · 10 comments

Projects

None yet

2 participants

@andrasnemes

Hello,

I have set up the Thinktecture server and have 2 web apps that use it for logging in, say WebA and WebB. Single SignOn works fine - I log in from WebA and I don't need to log in from WebB.

However, when I try to log out from WebA then the HTTP response from the identity server only includes the signout cleanup message from WebA, WebB is still logged on. The HTML on the Thinktecture signout page only includes the iframe with the signout cleanup message for the application where i pressed the logout button.

The same happens if I log out of WebB, WebA is not logged out. When I navigate to the site where i did not press the logout button I'm logged on automatically.

Any ideas why this happens? Something in web.config? something in the Thinktecture settings?

Thanks,
Andras

Owner

At sign in, IdSrv writes a cookie that keeps track of all sites you log in. Can you verify that this is written correctly - and has the correct content?

Do you mean the cookie called idsrvauth? The contents of that cookie are encrypted. How can I verify that the contents are correct?

Owner

Wsfedsignout

Is the name.

that is always set to the URL where i pressed the signout button.
I'm trying to do the following:

  • i have two localhost apps, localhost:2533 and localhost:2534.
  • i run localhost:2533 and localhost:2534
  • i log on from localhost:2533 and select the rememberme option
  • i get logged on to localhost:2534 as well
  • i press Logoff in localhost:2533 and i'm redirected to the idsvr signout page
  • the wsfedsignout cookie is set to localhost:2533, nothing else. Is this correct? I don't see localhost:2534 in that cookie
  • I don't see the cleanup message for localhost:2534 in the html of the signout page
  • i'm still logged in on localhost:2534 and can view all protected pages

What am I doing wrong?

I pressed the close button by mistake...

@andrasnemes andrasnemes reopened this Apr 30, 2013
Owner

I have to repro that. This will take some days.

If you want to investigate yourself, put a breakpoint in the WSFederationController (in the protocols assembly).

OK.

In the meantime I want to check something with you. At which step is the wsfedsignout cookie supposed to be set exactly? Fiddler is telling me the following:

Is the wsfedsignout cookie supposed to be set at sign in or sign out?

Owner

OK - I did a repro. Works for me, thats all I can do right now. I documented the sequence for you, so you can debug yourself to find out whats wrong:

Fiddler trace: https://dl.dropboxusercontent.com/u/77464820/permanent/IdSrv%20signin%20and%20signout.saz

and the relevant steps:

1 Start (idsrvrp)
2 Try to access protected resource, redirect to wsfed endpoint
3 Not authenticated at sts, redirect to login page
5 Login successful, set login cookie (idsrvauth)
6 WS-Fed response, set signout cookie for idsrvrp (wsfedsignout)
7 Set fedauth cookie in idsrvrp
8 Access idsrvp protected resource

9 Start (idsrvrp2)
10 Try to access protected resource, redirect to wsfed endpoint
11 Access WS-Fed endpoint (already authenticated via idsrvauth cookie)
WS-Fed response, add idsrvp2 to wsfedsignout cookie
12 Set fedauth cookie in idsrvrp2
13 Access idsrvrp2 protected resource

14 Sign-out in idsrvrp2
15 Hit STS signout endpoint
Clear idsrvauth cookie
Clear wsfedsignout cookie
Render sign-out iframes
16 Signout cleanup idsrvrp (clear fedauth cookie)
17 Signout cleanup idsrvrp2 (clear fedauth cookie)

Owner

Any comments?

I'm currently working on installing Idsrv using the latest update of the Identity and Access Tool in Visual Studio. I'll close this thread and open a new one if necessary after redoing the whole setup chain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment