-
-
Notifications
You must be signed in to change notification settings - Fork 291
Single sign out issue ADFS identity server integration #195
Comments
The parameters of FederatedSignOut method are: To start federated sign out process call this method in next way: |
So can you confirm that both idsrv and the RP "delete" their cookies? How does the fiddler trace look like? |
Looks like my RP is deleting the cookies. Here are the cookies before and after log off Here is what I see in the trace: I call a controller Action that initiates the federated sign out: Then i see another 302 Then I see a 200 Another 200 |
.idsrvauth is cleared. But Vijay has an .ASPXAUTH cookie at IdSrv, where does that come from? It also has the wrong path ('/'). Dominick, do you use that cookie or is it caused by something Vijay did/adapted? |
this actually looks like the RP cookies not the STS ones... |
He has an issue there too, but this one is from IdSrv. It is set on a response by IdSrv. How did he do that? And why on earth would it influence IdSrv. (I never did ASP.NET without ADFS, that explains my ignorance :-)) |
OK - I did a repro. Works for me, thats all I can do right now. I documented the sequence for you, so you can debug yourself to find out whats wrong: Fiddler trace: https://dl.dropboxusercontent.com/u/77464820/permanent/IdSrv%20signin%20and%20signout.saz and the relevant steps: 1 Start (idsrvrp) 9 Start (idsrvrp2) 14 Sign-out in idsrvrp2 |
Dominick - thanks for the trace. When I compare it to mine, everything looks the same except for a "ASPXAuth" cookie thats being set by IdSrv "Set-Cookie: .ASPXAUTH=F46DE7ABCD034845FD535FFB793BB86177C1472A2171442FF1BE539A73B077E27E991469F2377336B4A9CC7A8E4CBD5484E4B3CB98B7B45B9BABC8691225BC89C8087F3F1744C8DF95049A9E0D8D67B3C36CF23ED95684F8CE53B1BE249251D3B99543A57E7E282E34D96EC8E2F33XD8A41ED10797.......; path=/; HttpOnly" During the signout process this is not being cleared. As soon as I clear this cookie from my browser I am signed out. |
IdSrv does not issue this cookie. At least not the "unmodified" version. That must be something special about version/environment. |
You are correct. The modification I made like I mentioned in the initial forum post is implementing my own version of "IClaimsRepository" and "Thinktecture.IdentityServer.Repositories.IUserRepository" to log people in using SimpleMembership. Can this cause the problem? |
Seems so. What API do you use to "log them in" - something like WebSecurity.Authenticate(...) ? |
Here is the code (sorry for the extra fluff)
|
There you go. WebSecurity.Login sets the cookie. Simple Membership FTW! |
Darn! Thank you so much for helping me with this. Paul and you are awesome! BTW what software do you use for "looking into the code" of a microsoft dll? Paul gave me a suggestion too... |
Reflector |
Thank you again. I fixed the signout problem by calling "FormsAuthentication.SignOut" in IdentityServer's WSFederationController - Process WSFederationSignOut. |
Well - rather don't use WebSecurity.Login. That would be the appropriate fix. |
We had this conversation a couple of months ago. This is more out of ignorance than anything else. Could you tell me why you suggest that I rather not use SimpleMembership? I am curious to know so I can talk to the Sr.Architect on the project about this. |
Why do you use it - and took the burden to change plain IdSrv? ;) I don't mean to throw out simple membership - just don't use the Login API since it seems to combine credential validation and setting a cookie. Both operations must be available separately somehow |
We changed identity server only because we needed to authenticate against a custom user store. That's why we use simple membership. Now how would I go about using my custom "user" table and still use the login methods of identity server ? Sent from my iPad On May 2, 2013, at 1:00 PM, "Dominick Baier" notifications@github.com wrote:
|
Implementing IUserRepository and IClaimsRepository. Thats totally fine. In IUserRepository you return true/false in ValidateUser - that's all. |
ok I took your advice and since there arent any methods to ONLY validate a user and not sign them in, in SimpleMembership, I log them in and log them off immediately. I know this is a "hack", but can't think of anything else (other than checking the username and decrypted password myself). Thank you again for your help
|
lol - that's the source code of WebSecurity.Login ;) public static bool Login(string userName, string password, bool persistCookie = false) Do I need so say more? ;) |
Personally i don't like SimpleMembership at all, I've had issues with this when using sql azure as the backing store amongst other issues with its dependancies. Sent using an HTC 8x Windows Phone 8 -----Original Message----- We changed identity server only because we needed to authenticate against a custom user store. That's why we use simple membership. Now how would I go about using my custom "user" table and still use the login methods of identity server ? Sent from my iPad On May 2, 2013, at 1:00 PM, "Dominick Baier" notifications@github.com wrote:
— |
Is there documentation on how "sign out" works in IdentityServer? I am using a custom user store and with your help from a couple of months ago, I implemented my own version of "IClaimsRepository" and "Thinktecture.IdentityServer.Repositories.IUserRepository" to log people in using SimpleMembership.
Now when the user hits log off from the web application - I call this piece of code:
WSFederationAuthenticationModule.FederatedSignOut(new Uri(Url.Action("CompleteLogOff", "Account", routeValues: null, protocol: Request.Url.Scheme)), null);
but the next time I click log in - it logs me in automatically. This is not what I expected. I expect it to log me off of all relying parties.
I tried a couple of variations of SignOutRequestMessage, but nothing seems to work for me.
Just a little more steps that I did:
In "Chrome" when I delete ONLY the cookies using the developer tools, that still does not fix the problem. However when I delete the entire browsing data (cache, cookies...) it seems to work fine.
The text was updated successfully, but these errors were encountered: