How do I get two websites authenticating against Thinktecture's Identity Server?

Question

After viewing the PluralSite videos on Identity and Access Control, and basically getting everything set up that I need to (I have a running local instance of Thinktecture Identity Server on my machine, as well as the Identity and Access vs2012 extension), I can not get two web applications in the same solution to authenticate against the Identity Server.

Currently, they are both requiring me to log into the id sever, which is not what I want, I want to be able to log into the Id server once, and be authenticated for both sites.

Here are the parts of the web.config which I THINK determine how this should go:

What exactly is the role of "realm"? Does this need to be a real URL, or can it be treated like a namespace? I'm imaging realm must come into play when trying to use the same security token issued by the Id Server across multiple sites.

<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://MyIdServer.com/idsvr/issue/wsfed" realm="http://MyLocalServerRunningIISExpress:55495/" reply="http://MyLocalServerRunningIISExpress:55495/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>

How do audienceUris work? I'm assuming if I want to have the one security token used across multiple sites, I need to have each site's URL represented in the audienceUris section?

<system.identityModel>
<identityConfiguration>
<claimsAuthenticationManager type="SSO.Security.ClaimsAuthenticationManager, SSO.Security" />      
<audienceUris>
<add value="http://MyLocalServerRunningIISExpress:55495/" />
<add value="http://MyLocalServerRunningIISExpress:53133/" />
</audienceUris>
</identityConfiguration>
</system.identityModel>

The other web.config file for the second site is just like the sections above, but with the port numbers changed on the URL's.

Again, I DO have the Id Srv passing back a token to me that authenticates me for ONE site, but I cannot for the life of me get it working for two.

I'm guessing this is a config issue, or maybe the fact that I'm running two instances of IIS Express on two port numbers instead of having a real IIS server invovled and using a URL instead?

Answer 1

Have you tried FederatedSignOut?

WSFederationAuthenticationModule am = FederatedAuthentication.WSFederationAuthenticationModule;
WSFederationAuthenticationModule.FederatedSignOut(new Uri(am.Issuer), new Uri(am.Realm));

I know this is WIF 1.0 but there should be something similar in WIF 4.5

Answer 2

nzpcmad, here's what's similar in 4.5:

var authModule = FederatedAuthentication.WSFederationAuthenticationModule;
authModule.SignOut(false);
var signOutRequestMessage = new SignOutRequestMessage(new Uri(authModule.Issuer), authModule.Realm);
var queryString = signOutRequestMessage.WriteQueryString();
return new RedirectResult(queryString);

I THINK the problem here has something to do with the way Thinktecture Id Svr is issuing the cookie that's supposed to keep track of what relying parties are authenticated. For some reason, the cookie that contains the authenticated RP's does not seem to be issued until a logout request is received, and I believe that cookie supposed to be issued when a login request is received?

Some other people have had the same problem, and there is a ticket open on GitHub for it: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/197

Answer 3

Okay, apparently, you have to check the "remember me" checkbox in order for the cookie to propogate to the other website. So, in essence, this now works. What I STILL can't do however is log off correctly. Again, the website that is going the logoff is clearing it's own cookie, and then taking care of the STS cookie, but the other website remains logged in.

On the STS server logout page, the source view has:

<iframe style="visibility: hidden; width: 1px; height: 1px" src="http://MyServer:55495/?wa=wsignoutcleanup1.0"></iframe>

But since there are TWO websites currently logged in, I should see two of these entries here, so this page can clean up that cookie as well.

Here is my logout code:

var authModule = FederatedAuthentication.WSFederationAuthenticationModule;

//clear local cookie
authModule.SignOut(false);

//initiate federated sign out request to the STS
var signOutRequestMessage = new SignOutRequestMessage(new Uri(authModule.Issuer), authModule.Realm);
var queryString = signOutRequestMessage.WriteQueryString();
return new RedirectResult(queryString);

I believe this code is correct, but I guess the problem is the STS server isn't keep tracking of which relying parties are logged in and need to have their cookies destroyed?

Answer 4

In the cookie handler, you should specify name, domain (and possibly path). These must be equal on all sites that use this.

<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="false" 
       name="myCookieName" domain="MyLocalServerRunningIISExpress" path="/"/>
    <wsFederation passiveRedirectEnabled="true" requireHttps="false" 
       issuer="https://MyIdServer.com/idsvr/issue/wsfed" 
       realm="http://MyLocalServerRunningIISExpress:55495/" />
  </federationConfiguration>
</system.identityModel.services>

I am not sure how this works with your setup using different port numbers. The setup I have is standard IIS, and both sites running as applications on the same root.

Another setup I know work is to have two sites set up with the last part of the domain in common. That is the sites have URL: site1.mydomain.com and site2.mydomain.com. Then the domain parameter in the <cookieHandler> is set to mydomain.com.

And yes, all sites must be listed in <audienceUris> like you have already in your example.

Note:
When the reply url is identical to realm, the reply parameter is not strictly needed.