New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Single logout not working in asp.net core #1092
Comments
I believe User is being populated by context.ToHttpRequestData( ... ) (source code in Sustainsys.Saml2.AspNetCore2 / HttpRequestExtensions.cs ) Were you able to debug further information or fix it? |
Facing a similar issue here, but I believe this is because somewhere we need to set these two claim types:
I can't figure how to add them. |
@arthurmmedeiros I happen to have implemented what you suggest today. Not sure yet, if it’s the intended way, but I have stored the claims in a cookie each and add them in a middleware to the user via a new identity. I have already been using a cookie authentication scheme to do the actual sign in and sign out because SAML2 support is optional in my app. Still, I’ve been wondering if there is an existing solution in ASP.NET Core to keep the claims in the session. Haven’t found any in the code of this project. Maybe this helps you or someone else to get going. Ideally, we all learn an even better way to do it here 😉 |
Hey @mklinke , nice to know you were able to implement it. Is there any chance you could share how you managed to store the claims in a cookie? Also, how did you add a new identity? Is everything set in the StartUp? |
@arthurmmedeiros Sure. I've created two methods to convert between Claim and string (to store in the cookie), using the WriteTo method and the Claim constructor accepting a BinaryReader. In addition, I'm using a cookie scheme to create the cookies on sign in. I'm setting the Saml2Options.SignInScheme to that cookie scheme. Then, in the cookie options (CookieAuthenticationOptions), I'm setting the Events.OnSignedIn Func to append a cookie to the request for the two claims that I retrieve from the context.Principal. To restore the claims from the cookies, I've created a new middleware to read the cookie values and add an identity to the context.Principal. The middleware is registered after the authentication middleware so that the principal is populated. If there is no principal, you can directly create one with the identity, too. Otherwise, just add the identity to the existing principal. As I said, it seems pretty basic and I'd hoped that this would be covered by some existing implementation, but I couldn't find any. Looking further into the ASP.NET Core Identity model might reveal some insights, but I don't have the capacity for that atm. Let me know if you have further questions, I'll try to answer if I can. I was glad to find this project to support SAML2 in ASP.NET Core and I'm happy to return/forward some of the experience. Of course, I'd be curious if there is a better/existing way to do this. Please let me know if you find one. HTH and good luck. |
Huuge +1 here. @AndersAbel would you mind to chime in and perhaps explain a little bit on how it was planned to save/restore claims info between requests? In the sample app I can see this class which I assume should do it
but that |
Maybe this will help someone that is having the same issue: if you're using the https://github.com/dotnet/aspnetcore/blob/v3.1.4/src/Identity/Core/src/SignInManager.cs#L214-L222 |
Non Security Issues
Single logout is not working in Asp.net core
Information needed
Sustainsys.Saml2.AspNetCore2 packages is being using to consume SAML from ADFS 4.0
When I initiate single logout by calling "Saml2/Logout".
i)Saml2Handler>HandleRequestAsync method is called
ii) Then in LogoutCommand>InitiateLogout is called at some point.
Here request.User should not be null so that "AuthServicesClaimTypes.LogoutNameIdentifier" and
"AuthServicesClaimTypes.SessionIndex" claims can be parsed and used to create logout Saml response.
request.User is always null it seems that code never populates it .
If you look at call to Saml2Hanlder> HandleRequestAsync. Here call to "context.ToHttpRequestData(dataProtector.Unprotect)" will never populate user.
I think this is breaking logout feature .
Additional info
The text was updated successfully, but these errors were encountered: