Signout from ExternalProvider and 2FA

[skoruba]

Hi @damienbod

when I want to sign in via external OIDC provider and it is required 2FA, I am redirected to login page with 2FA which works well. But after that I got the claim called idp, but with value local - the information about external IdP is gone.

After attempt to sign out - the redirect to external provider is not execuded because the claim idp is local, not oidc.

IdentityServer4AspNetCoreIdentityTemplate/content/StsServerIdentity/Controllers/AccountController.cs

Line 741 in 02eb4ec

if (idp != null && idp != IdentityServer4.IdentityServerConstants.LocalIdentityProvider)

Do you have any idea how to configure these things for following scenario?

Thanks!

Jan

[damienbod]

@skoruba

Hi Jan

The mapping for the external claims are not mapped to the Principal from the "local" user. You can map these as required in the account controller method which handles the callback from the external provider. In this method the external principal is cleaned up, so you can change this, persist this as needed.

Greetings Damien

[skoruba]

Hello @damienbod
thank you for your idea - I probable solved this issue with custom implementation of SignInManager and method SignInWithClaimsAsync - https://github.com/skoruba/IdentityServer4.Admin/blob/dev/src/Skoruba.IdentityServer4.STS.Identity/Helpers/ApplicationSignInManager.cs#L60-L66

I think this issue was connected to this behaviour of idp claim here:
https://github.com/IdentityServer/IdentityServer4/blob/main/src/IdentityServer4/src/Hosting/IdentityServerAuthenticationService.cs#L125-L143

We added in this method - SignInWithClaimsAsync - also id_token for correct signout from External IdP.

Thanks!

Jan