All geek questions in one place

Logging Out of Access Control Using Custom STS

I am using azure access control service for Windows with custom STS. I can log in to my application through ACS, but I have problems with the logout function. I tried this code in my application.

WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule; try { FormsAuthentication.SignOut(); } finally { fam.SignOut(true); } Page.Response.Redirect("default.aspx");

But it looks like it is logging out of the ACS, but not the user STS. What to do to exit STS. Where can there be a problem in application (RP), ACS or in STS?

I think ACS should ask the custom STS to log out, but it doesn't seem to do that. What am I missing?

+3
source share
2 answers

I created a helper method to execute FederatedSignout with comments in the code for what I found along the way (hth)

 public static void FederatedSignOut(string reply = null) { WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule; // Native FederatedSignOut doesn't seem to have a way for finding/registering realm for singout, get it from the FAM string wrealm = string.Format("wtrealm={0}", fam.Realm); // Create basic url for signout (wreply is set by native FederatedSignOut) string signOutUrl = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(fam.Issuer, null, wrealm); // Check where to return, if not set ACS will use Reply address configured for the RP string wreply = !string.IsNullOrEmpty(reply) ? reply : (!string.IsNullOrEmpty(fam.Reply) ? fam.Reply : null); WSFederationAuthenticationModule.FederatedSignOut(new Uri(signOutUrl), !string.IsNullOrEmpty(wreply) ? new Uri(wreply) : null); // Remarks! Native FederatedSignout has an option for setting signOutUrl to null, even if the documentation tells otherwise. // If set to null the method will search for signoutUrl in Session token, but I couldn't find any information about how to set this. Found some Sharepoint code that use this // Michele Leroux Bustamante had a code example (from 2010) that also uses this form. // Other examples creates the signout url manually and calls redirect. // FAM has support for wsignoutcleanup1.0 right out of the box, there is no need for code to handle this. // That makes it even harder to understand why there are no complete FederatedSignOut method in FAM // When using native FederatedSignOut() no events for signout will be called, if you need this use the FAM SignOut methods instead. }

This code is used in the standard RP library that we created for Web SSO with ACS.

+5
source

The December 2012 ACS update includes support for a single one-shot release:

Using the WS-Federation Protocol. Web applications that use ACS to enable single sign-on (SSO) with identity providers using the WS-Federation protocol can now use single sign-on capabilities. When a user signs up a web application, ACS can automatically subscribe a user from an identity provider and from other applications that use the same identity provider.

This feature is enabled for WS-Federation identity providers, including Active Directory Federation Service 2.0 and the Windows Live ID (Microsoft Account). To enable single sign-on, ACS performs the following tasks for WS-Federation protocol endpoints:

  • ACS recognizes wsignoutcleanup1.0 messages from identity providers and responds by sending wsignoutcleanup1.0 messages to the relying party of the application.

  • ACS recognizes wsignout1.0 and requests messages from the relying party of applications and responses by sending wsignout1.0 messages to the identity of providers and wsignoutcleanup1.0 messages to the relying party of the application.

From Code Example: ASP.NET MVC 4 with federated output , perform an action similar to this to exit ACS:

(Note that the Windows Identity Foundation is now included in the .NET 4.5 Framework, so the new namespaces are lower)

 using System.IdentityModel.Services; using System.IdentityModel.Services.Configuration; public ActionResult Logout() { // Load Identity Configuration FederationConfiguration config = FederatedAuthentication.FederationConfiguration; // Get wtrealm from WsFederationConfiguation Section string wtrealm = config.WsFederationConfiguration.Realm; string wreply; // Construct wreply value from wtrealm (This will be the return URL to your app) if (wtrealm.Last().Equals('/')) { wreply = wtrealm + "Logout"; } else { wreply = wtrealm + "/Logout"; } // Read the ACS Ws-Federation endpoint from web.Config // something like "https://<your-namespace>.accesscontrol.windows.net/v2/wsfederation" string wsFederationEndpoint = ConfigurationManager.AppSettings["ida:Issuer"]; SignOutRequestMessage signoutRequestMessage = new SignOutRequestMessage(new Uri(wsFederationEndpoint)); signoutRequestMessage.Parameters.Add("wreply", wreply); signoutRequestMessage.Parameters.Add("wtrealm", wtrealm); FederatedAuthentication.SessionAuthenticationModule.SignOut(); string signoutUrl = signoutRequestMessage.WriteQueryString(); return this.Redirect(signoutUrl); }
+2
source

Source: https://habr.com/ru/post/1502752/

More articles:


All Articles