Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signout issue - SSO URL is not expiring even after logout #8673

Closed
agnimitra opened this issue May 16, 2018 — with docs.microsoft.com · 12 comments

Comments

Projects
None yet
3 participants
Copy link

commented May 16, 2018 — with docs.microsoft.com

I did used the delegate option and am able to Sign User Programmatically by generating SSO URL (generateSsoUrl). Now I have problem in Signingout, once user try Sign-Out from Azure APIM Developer portal, microsoft delegate the call to our CUstom AUthentication server, and we end the users session, and redirect them back to base url of developer portal. Here User see the Sign-In option again.

However If I paste the previous SSO URL (generateSsoUrl) into browser it allows the user to log-in, which is a security violation.

Have anyone faced the similar Issue, Please Suggest.

I also have submitted an Idea on feedback forum https://feedback.azure.com/forums/34192--general-feedback/suggestions/34249135-apim-delegate-signout-issue-sso-url-expiration

And I have asked the same question on StackOverflow as well.
https://stackoverflow.com/questions/50344357/apim-delegate-signout-issue-sso-url-expiration

Please help me out.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

@kobulloc-MSFT

This comment has been minimized.

Copy link
Contributor

commented May 16, 2018

@agnimitra Thank you for the feedback! We are investigating this and will get back to you shortly.

@kobulloc-MSFT

This comment has been minimized.

Copy link
Contributor

commented May 21, 2018

@agnimitra We're better equipped to address document issues than product bugs, but I want to make sure that this reaches the right people. Azure feedback is a great place to start. Thank you for submitting feedback there.

Additionally, I would like you to email AzCommunity@microsoft.com with a brief description of what you have encountered, your Subscription ID, and a link to this thread to make tracking easier. This will allow us to follow up on your issue.

I am also reaching out internally to further investigate the issue.

@kobulloc-MSFT

This comment has been minimized.

Copy link
Contributor

commented May 21, 2018

@agnimitra Upon further investigation it appears that when you sign out from the portal, you are only terminating the portal session and not the user session. When you are pasting the URL, you've creating a new portal session with your still valid user session.

This comment has been minimized.

Copy link
Author

commented May 22, 2018 — with docs.microsoft.com

@kobulloc-MSFT you are right, the user session is not been terminated correctly. The user session is created by calling APIM restful API (generateSsoUrl). Microsoft Azure should provide a similar kind of API to terminate that session, or terminate APIM session of an user.

meanwhile I have sent an email to AzCommunity@microsoft.com with details.

This comment has been minimized.

Copy link
Author

commented May 22, 2018 — with docs.microsoft.com

@kobulloc-MSFT I understnad that this forum is for "Documentation Feedback". Then I would request you to please document the "Sign-out" option/steps in detail :) . I did looked into the sample application for delegate, that also do not explain about my senario and have the same defect.

@kobulloc-MSFT

This comment has been minimized.

Copy link
Contributor

commented May 23, 2018

@agnimitra Absolutely. I think that adding sign out options would compliment our document's existing sign in options. I've reached out internally and I believe we may have some solutions that will help.

@vladvino If possible, let's add some sign out information to this document.

@agnimitra

This comment has been minimized.

Copy link
Author

commented Jun 8, 2018

Hi @vladvino,
any update on this??

Due to this security vulnerability, we cannot release our product.

@kobulloc-MSFT

This comment has been minimized.

Copy link
Contributor

commented Jun 11, 2018

@agnimitra As a quick update, we are looking into this and may have some solutions. Hopefully we will have an answer for you soon.

@kobulloc-MSFT

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2018

@agnimitra For now, there is no "sign out" for SSO URL however we will be updating the API to allow you to specify a custom TTL when getting an SSO URL (example: between 1 second and 5 minutes). This will effectively terminate the user session when the portal session is terminated. This will probably be available in the preview version of the API, perhaps in a month or so.

I believe that this will address your concerns however if you have a more specific request, user suggestions are read and implemented (by real people) at https://feedback.azure.com, and that will be your best option moving forward.

As we've already gone beyond the scope of a document change, we are going to close this thread as resolved but if there are any further questions regarding this matter (within the context of something we can add to the document), please tag me in your reply and we will be happy to continue the conversation.

@agnimitra

This comment has been minimized.

Copy link
Author

commented Jun 16, 2018

Thanks @kobulloc-MSFT for the updates. Is there any way I can be notified of this feature once its released (added to any preview version).

@kobulloc-MSFT

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2018

@agnimitra Let me find out out the best way to track this, and I'll update you shortly.

@kobulloc-MSFT

This comment has been minimized.

Copy link
Contributor

commented Jun 29, 2018

@agnimitra Azure roadmap will keep you informed on new Azure releases, and you can subscribe to get alerts so you don't miss out on anything. I hope this helps!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.