I have set up the Thinktecture server and have 2 web apps that use it for logging in, say WebA and WebB. Single SignOn works fine - I log in from WebA and I don't need to log in from WebB.
However, when I try to log out from WebA then the HTTP response from the identity server only includes the signout cleanup message from WebA, WebB is still logged on. The HTML on the Thinktecture signout page only includes the iframe with the signout cleanup message for the application where i pressed the logout button.
The same happens if I log out of WebB, WebA is not logged out. When I navigate to the site where i did not press the logout button I'm logged on automatically.
Any ideas why this happens? Something in web.config? something in the Thinktecture settings?
At sign in, IdSrv writes a cookie that keeps track of all sites you log in. Can you verify that this is written correctly - and has the correct content?
Do you mean the cookie called idsrvauth? The contents of that cookie are encrypted. How can I verify that the contents are correct?
Is the name.
that is always set to the URL where i pressed the signout button.
I'm trying to do the following:
What am I doing wrong?
I pressed the close button by mistake...
I have to repro that. This will take some days.
If you want to investigate yourself, put a breakpoint in the WSFederationController (in the protocols assembly).
In the meantime I want to check something with you. At which step is the wsfedsignout cookie supposed to be set exactly? Fiddler is telling me the following:
Is the wsfedsignout cookie supposed to be set at sign in or sign out?
OK - I did a repro. Works for me, thats all I can do right now. I documented the sequence for you, so you can debug yourself to find out whats wrong:
Fiddler trace: https://dl.dropboxusercontent.com/u/77464820/permanent/IdSrv%20signin%20and%20signout.saz
and the relevant steps:
1 Start (idsrvrp)
2 Try to access protected resource, redirect to wsfed endpoint
3 Not authenticated at sts, redirect to login page
5 Login successful, set login cookie (idsrvauth)
6 WS-Fed response, set signout cookie for idsrvrp (wsfedsignout)
7 Set fedauth cookie in idsrvrp
8 Access idsrvp protected resource
9 Start (idsrvrp2)
10 Try to access protected resource, redirect to wsfed endpoint
11 Access WS-Fed endpoint (already authenticated via idsrvauth cookie)
WS-Fed response, add idsrvp2 to wsfedsignout cookie
12 Set fedauth cookie in idsrvrp2
13 Access idsrvrp2 protected resource
14 Sign-out in idsrvrp2
15 Hit STS signout endpoint
Clear idsrvauth cookie
Clear wsfedsignout cookie
Render sign-out iframes
16 Signout cleanup idsrvrp (clear fedauth cookie)
17 Signout cleanup idsrvrp2 (clear fedauth cookie)
I'm currently working on installing Idsrv using the latest update of the Identity and Access Tool in Visual Studio. I'll close this thread and open a new one if necessary after redoing the whole setup chain.