5

I'm implementing SSO (Single Sign On and Single Sign Out) for my applications. Let's say I have

  1. Application "A" that is
    • Hosted on https://app1.test.com
    • Is registered in AD on-premise with Wtrealm same as https://app1.test.com
  2. Application "B" that is
    • Hosted on https://app2.test.com
    • Is registered in AD on-premise with Wtrealm same as https://app2.test.com

I've used this blog as reference to implement Single Sign On in both the application. https://blogs.msdn.microsoft.com/sakamati/2015/07/06/creating-owin-based-ws-federation-application/

The problem I'm facing with is for Single Sign Out. When I do sign out in one application, the session in other application still remains active.

What am I missing so that the Single Sign Out will work for both the application?

Hiren Desai
  • 941
  • 1
  • 9
  • 33

2 Answers2

1

When you say "Is registered in AD on-premise" do you mean "Is registered in ADFS on-premise"?

Are you following the steps as per this using "wa=wsignout1.0"?

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • 1
    Yes, I meant the applications are registed in ADFS on-premise. Also, I'm following that the link. The problem is, by using that sign-out link, I'm able to logout one application but the other application doesn't (since it's unaware that the sign-out as happened at Identify Server) – Hiren Desai Nov 11 '19 at 06:41
  • 1
    Check that your LogoutUri is set for all of your clients. ADFS does its best, but you need to implement logic to handle the request and take action to sign-out the user. Also, make sure that the client application has dropped all authenticated artifacts after a sign-out request was received at the registered LogoutUri. If they still have a valid refresh token, ADFS will still issue the access token. It might also be useful to reference this question: https://stackoverflow.com/q/32460101/7447383 – R. McManaman Nov 12 '19 at 17:22
  • @R.McManaman - Does ADFS sends a logout request to replying party registered in ADFS? I'm still confused as to how other application would know that a logout was requested by another application? – Hiren Desai Nov 29 '19 at 04:42
  • Have a look at SLO - https://www.portalguard.com/blog/2016/06/20/saml-single-logout-need-to-know/ – rbrayb Nov 30 '19 at 02:59
0

1 First way in ConfigureServices(IServiceCollection services)

.AddWsFederation(options =>
            {
                options.MetadataAddress = stsConfig.MetadataAddress;
                options.RequireHttpsMetadata = true;
                options.Events.OnRedirectToIdentityProvider += OnRedirect;
                options.Events.OnRemoteSignOut = async context =>
                {
                    await context.HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
                    context.HandleResponse();
                    return;
                };
            });

2 Second way.

ADFS do GET to /signin-wsfed with params to app1 when you signout in app2. I can't found documentation about it, but see it in debug and logs. For Asp.net Core 3.1

public void ConfigureServices(IServiceCollection services)
{
   ...
   services.AddScoped<WsFederationAuthCleanupMiddleware>();
   ...
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
   ...
   app.UseMiddleware<WsFederationAuthCleanupMiddleware>();
   ...
   app.UseAuthentication();
   ...
}

public class WsFederationAuthCleanupMiddleware : IMiddleware
{
    private readonly ILogger<WsFederationAuthCleanupMiddleware> _logger;

    public WsFederationAuthCleanupMiddleware(ILogger<WsFederationAuthCleanupMiddleware> logger)
    {
        _logger = logger;
    }

    public Task InvokeAsync(HttpContext context, RequestDelegate next)
    {
        var request = context.Request;

        // could look for a specific path as well...
        if (request.Query.TryGetValue("wa", out var wa) && wa == "wsignoutcleanup1.0")
        {
            _logger.LogDebug("WsFederationAuthCleanupMiddleware with {@Query}", request.Query);
            // Your signin scheme probably cookies
            request.HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            return Task.CompletedTask;
        }            

        return next(context);
    }
}
Костя Гришин
  • 302
  • 3
  • 11