Single sign out issue ADFS identity server integration

[vjragind]

Is there documentation on how "sign out" works in IdentityServer? I am using a custom user store and with your help from a couple of months ago, I implemented my own version of "IClaimsRepository" and "Thinktecture.IdentityServer.Repositories.IUserRepository" to log people in using SimpleMembership.

Now when the user hits log off from the web application - I call this piece of code:

WSFederationAuthenticationModule.FederatedSignOut(new Uri(Url.Action("CompleteLogOff", "Account", routeValues: null, protocol: Request.Url.Scheme)), null);

but the next time I click log in - it logs me in automatically. This is not what I expected. I expect it to log me off of all relying parties.

I tried a couple of variations of SignOutRequestMessage, but nothing seems to work for me.

Just a little more steps that I did:
In "Chrome" when I delete ONLY the cookies using the developer tools, that still does not fix the problem. However when I delete the entire browsing data (cache, cookies...) it seems to work fine.

[SergeyKhutornoy]

The parameters of FederatedSignOut method are:
signOutUrl: The URL of the STS to receive the WS-Federation sign-out request message. Cannot be null.
replyUrl: The URL to be sent as the wreply value in the sign-out request message.

To start federated sign out process call this method in next way:
WSFederationAuthenticationModule.FederatedSignOut(
new Uri(FederatedAuthentication.WSFederationAuthenticationModule.Issuer),
new Uri(FederatedAuthentication.WSFederationAuthenticationModule.Reply));

[leastprivilege]

So can you confirm that both idsrv and the RP "delete" their cookies? How does the fiddler trace look like?

[vjragind]

Looks like my RP is deleting the cookies. Here are the cookies before and after log off

After Log Off:

Here is what I see in the trace:

I call a controller Action that initiates the federated sign out:
I see a 302 that calls my controller action mentioned above.
http://RelyingPartyDomain/Account/LogOff

Then i see another 302
https://adfsdomain.com/adfs/ls/?wa=wsignout1.0&wreply=http%3a%2f%2fRelyingPartyDomain%2fAccount%2fCompleteLogOff

Then I see a 200
https://adfsdomain.com/Idsrv/issue/wsfed?wa=wsignout1.0

Another 200
https://adfsdomaincom/adfs/ls/?wa=wsignoutcleanup1.0

[paullem]

.idsrvauth is cleared. But Vijay has an .ASPXAUTH cookie at IdSrv, where does that come from? It also has the wrong path ('/'). Dominick, do you use that cookie or is it caused by something Vijay did/adapted?

[leastprivilege]

this actually looks like the RP cookies not the STS ones...

[paullem]

He has an issue there too, but this one is from IdSrv. It is set on a response by IdSrv. How did he do that? And why on earth would it influence IdSrv. (I never did ASP.NET without ADFS, that explains my ignorance :-))

[leastprivilege]

OK - I did a repro. Works for me, thats all I can do right now. I documented the sequence for you, so you can debug yourself to find out whats wrong:

Fiddler trace: https://dl.dropboxusercontent.com/u/77464820/permanent/IdSrv%20signin%20and%20signout.saz

and the relevant steps:

1 Start (idsrvrp)
2 Try to access protected resource, redirect to wsfed endpoint
3 Not authenticated at sts, redirect to login page
5 Login successful, set login cookie (idsrvauth)
6 WS-Fed response, set signout cookie for idsrvrp (wsfedsignout)
7 Set fedauth cookie in idsrvrp
8 Access idsrvp protected resource

9 Start (idsrvrp2)
10 Try to access protected resource, redirect to wsfed endpoint
11 Access WS-Fed endpoint (already authenticated via idsrvauth cookie)
WS-Fed response, add idsrvp2 to wsfedsignout cookie
12 Set fedauth cookie in idsrvrp2
13 Access idsrvrp2 protected resource

14 Sign-out in idsrvrp2
15 Hit STS signout endpoint
Clear idsrvauth cookie
Clear wsfedsignout cookie
Render sign-out iframes
16 Signout cleanup idsrvrp (clear fedauth cookie)
17 Signout cleanup idsrvrp2 (clear fedauth cookie)

[vjragind]

Dominick - thanks for the trace. When I compare it to mine, everything looks the same except for a "ASPXAuth" cookie thats being set by IdSrv

"Set-Cookie: .ASPXAUTH=F46DE7ABCD034845FD535FFB793BB86177C1472A2171442FF1BE539A73B077E27E991469F2377336B4A9CC7A8E4CBD5484E4B3CB98B7B45B9BABC8691225BC89C8087F3F1744C8DF95049A9E0D8D67B3C36CF23ED95684F8CE53B1BE249251D3B99543A57E7E282E34D96EC8E2F33XD8A41ED10797.......; path=/; HttpOnly"

During the signout process this is not being cleared. As soon as I clear this cookie from my browser I am signed out.

[leastprivilege]

IdSrv does not issue this cookie. At least not the "unmodified" version. That must be something special about version/environment.

[vjragind]

You are correct. The modification I made like I mentioned in the initial forum post is implementing my own version of "IClaimsRepository" and "Thinktecture.IdentityServer.Repositories.IUserRepository" to log people in using SimpleMembership.

Can this cause the problem?

[leastprivilege]

Seems so.

What API do you use to "log them in" - something like WebSecurity.Authenticate(...) ?

[vjragind]

Here is the code (sorry for the extra fluff)

public bool ValidateUser(string userName, string password)
{
  if (!WebSecurity.IsAccountLockedOut(userName, AllowedLoginAttempts, TimeframeBetweenAttempts))
  {
    return WebSecurity.Login(userName, password);
  }

  return false;
 }

[leastprivilege]

There you go. WebSecurity.Login sets the cookie.

Simple Membership FTW!

[vjragind]

Darn! Thank you so much for helping me with this. Paul and you are awesome!

BTW what software do you use for "looking into the code" of a microsoft dll? Paul gave me a suggestion too...

[leastprivilege]

Reflector

[vjragind]

Thank you again.

I fixed the signout problem by calling "FormsAuthentication.SignOut" in IdentityServer's WSFederationController - Process WSFederationSignOut.

[leastprivilege]

Well - rather don't use WebSecurity.Login. That would be the appropriate fix.

[vjragind]

We had this conversation a couple of months ago. This is more out of ignorance than anything else. Could you tell me why you suggest that I rather not use SimpleMembership? I am curious to know so I can talk to the Sr.Architect on the project about this.

[leastprivilege]

Why do you use it - and took the burden to change plain IdSrv? ;)

I don't mean to throw out simple membership - just don't use the Login API since it seems to combine credential validation and setting a cookie. Both operations must be available separately somehow

[vjragind]

We changed identity server only because we needed to authenticate against a custom user store. That's why we use simple membership. Now how would I go about using my custom "user" table and still use the login methods of identity server ?

Sent from my iPad

On May 2, 2013, at 1:00 PM, "Dominick Baier" notifications@github.com wrote:

Why do you use it - and took the burden to change plain IdSrv? ;)

I don't mean to throw out simple membership - just don't use the Login API since it seems to combine credential validation and setting a cookie. Both operations must be available separately somehow

—
Reply to this email directly or view it on GitHub.

[leastprivilege]

Implementing IUserRepository and IClaimsRepository. Thats totally fine.

In IUserRepository you return true/false in ValidateUser - that's all.

[vjragind]

ok I took your advice and since there arent any methods to ONLY validate a user and not sign them in, in SimpleMembership, I log them in and log them off immediately. I know this is a "hack", but can't think of anything else (other than checking the username and decrypted password myself). Thank you again for your help

public bool ValidateUser(string userName, string password)
{
  bool validUser = false;
  if (WebSecurity.Login(userName, password))
  {
    WebSecurity.Logout();
    validUser = true;
  }

  return validUser;
}

[leastprivilege]

lol - that's the source code of WebSecurity.Login ;)

public static bool Login(string userName, string password, bool persistCookie = false)
{
VerifyProvider();
bool flag = Membership.ValidateUser(userName, password);
if (flag)
{
FormsAuthentication.SetAuthCookie(userName, persistCookie);
}
return flag;
}

Do I need so say more? ;)

[HornerG]

Personally i don't like SimpleMembership at all, I've had issues with this when using sql azure as the backing store amongst other issues with its dependancies.

Sent using an HTC 8x Windows Phone 8

-----Original Message-----
From: "vjragind" notifications@github.com
Sent: ‎02/‎05/‎2013 20:12
To: "thinktecture/Thinktecture.IdentityServer.v2" Thinktecture.IdentityServer.v2@noreply.github.com
Subject: Re: [Thinktecture.IdentityServer.v2] Single sign out issue ADFSidentity server integration (#195)

We changed identity server only because we needed to authenticate against a custom user store. That's why we use simple membership. Now how would I go about using my custom "user" table and still use the login methods of identity server ?

Sent from my iPad

On May 2, 2013, at 1:00 PM, "Dominick Baier" notifications@github.com wrote:

Why do you use it - and took the burden to change plain IdSrv? ;)

I don't mean to throw out simple membership - just don't use the Login API since it seems to combine credential validation and setting a cookie. Both operations must be available separately somehow

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub.