1

My ASP.NET MVC 4 application is protected by SSO (OAM) with an ISAPI filter running on IIS. When a request to my application is received, it is intercepted by ISAPI filter and redirected to SSO. User has to login at SSO and after that he is returned to my application.

The username of authenticated user (via SSO) is shared with my application in HTTP Request Headers. 

Request.Headers["username"]

What I am trying to achieve is- after SSO authentication, setting FormsAuthentication within my application for username = Request.Headers["username"]. This way SSO remains transparent to my application and Identity of user is available in HttpContext object, plus, I (developer) could effectively utlize Authorize attribute for specific roles.

To achieve this- I hookup into Session_Start(), read Request.Headers["username"], Set FormsAuthentication cookie. And I get this SSO user Forms-Authenticated for my application.

But my problem is when I logout (FormsAuthentication.Signout), I redirect it to another page inside the application, which triggers a new Session (I can see Session_Start triggering when this happens)

Am I doing the right thing- FormsAuthentication after SSO? And if not, why not and then how do I make my application aware of SSO authenticated user?

Arpit Khandelwal
  • 1,743
  • 3
  • 23
  • 34

2 Answers2

1

It's entirely reasonable to use FormsAuthentication cookies to track the logged in user in your application after they have been authenticated using a Single-Sign-On provider. You don't show it but I'm hoping that you are also getting some ticket that you can use to verify the signed in user out-of-band with the SSO provider and not simply trusting the username header.

What you may be seeing, however, is that the user is not signed out from the SSO provider when you sign them out of your application. Because of that, as long as they have a valid cookie for the SSO provider, they will remain signed in, i.e., the user will get automatically bounced back to your application from the SSO provider without any required authentication.

That's unfortunate, but normal.

If you truly want the user to be signed out, you'll need to make use of the centralized logout functionality. I haven't worked with OAM, but it appears that it does support this: http://docs.oracle.com/cd/E21764_01/doc.1111/e15478/logout.htm

tvanfosson
  • 524,688
  • 99
  • 697
  • 795
  • Thanks tvanfosson, its true. The SSO provider issues a token (cookie) and it has protected my entire application except one resource that is my logout URL. OAM is configured to invalidate the SSO cookie on my logout URL and here only, user loses his SSO provided identity. Good so far. This is where the problem begins. Since this logout URL is a part of my application, as soon as user is logged out (sessions killed, FormsAuth.Signout called) and redirected to this URL. SSO cookie is invalidated, but thinking that its a new request, Session_Start is called again. – Arpit Khandelwal Feb 25 '14 at 05:41
0

I had to explicitly kill the session inside Session_Start if requested URL is logout URL. And then with next request (like from logout to login page again), it generates a new session and runs smoothly. 

protected void Session_Start()
    {
        if (!Request.IsAuthenticated && !IsSignoutURL)
            AcceptSessionRequest(); //process local authentication

        else if (IsSignoutURL)
            RejectSessionRequest(); //kill the sessions
    }

For background on how SSO passes authenticated user's identity to my application, read my comment to tvanfosson's post.

The post remains opened for a better idea.

Arpit Khandelwal
  • 1,743
  • 3
  • 23
  • 34