Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

[WS-Federation] Implement signout cleanup #1425

Closed
leastprivilege opened this issue Sep 14, 2017 · 7 comments
Closed

[WS-Federation] Implement signout cleanup #1425

leastprivilege opened this issue Sep 14, 2017 · 7 comments
Assignees
@Tratcher
Labels
3 - Done enhancement
Milestone
2.0.0-wsfed

Comments

@leastprivilege
Copy link
Contributor

leastprivilege commented Sep 14, 2017
edited
Loading

http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175005

When a sign-out clean-up GET is received at a realm, the realm SHOULD clean-up any cached information and delete any associated artifacts/cookies. If requested, on completion the requestor is redirected back to requestor's IP/STS.

It is very similar to OIDC front-channel signout (/signout-oidc) - when the IdP receives a sign-out, it notifies all RPs in the current session by sending them a signout cleanup message. The RPs then delete their own local state (e.g. authentication cookie).
@Eilon Eilon added the investigate Investigation item label Sep 14, 2017
@Eilon Eilon added this to the 2.0.0-wsfed milestone Sep 14, 2017
@Eilon Eilon added 1 - Ready enhancement and removed investigate Investigation item labels Sep 14, 2017
@Eilon
Copy link
Contributor

Eilon commented Sep 14, 2017

Seems important to have this per @vibronet.

@leastprivilege
Copy link
Contributor Author

I am so happy that Vittorio agrees with me...

@Tratcher
Copy link
Member

Tratcher commented Sep 19, 2017
edited
Loading

AAD appears to support this, you can define a Logout Url in the portal. However I cannot find the right IDP endpoint to trigger the single signout.

@Tratcher Tratcher mentioned this issue Oct 13, 2017
Closed
Tratcher added a commit that referenced this issue Nov 7, 2017
@Tratcher
#1425 Implement WsFed remote signout cleanup
e9f0794
@Tratcher Tratcher mentioned this issue Nov 7, 2017
Merged
@Tratcher Tratcher closed this as completed Nov 8, 2017
@KoalaBear84
Copy link

KoalaBear84 commented Jan 23, 2018
edited
Loading

I have really no idea how to call this feature. Does anybody have an example of how this works / is called? Thanks!

I do checked out this and called await context.SignOutAsync(WsFederationDefaults.AuthenticationScheme);:
https://github.com/aspnet/Security/blob/rel/2.0.0-ws-preview2/samples/WsFedSample/Startup.cs

But it does not logout the external STS 'session'. I do not have to login again, it is still logged in externally.

@Tratcher
Copy link
Member

Which STS are you using?

@Tratcher
Copy link
Member

See #1581

@KoalaBear84
Copy link

At least it is ADFS, and probably version 4. I'm not into those details of STS myself. Then I will wait for the next preview / final version. For now I'll redirect to a self created STS logout link (it is not yet in production).

Thanks for your answer @Tratcher!

Tratcher added a commit that referenced this issue Jan 30, 2018
@Tratcher
#1425 Implement WsFed remote signout cleanup
fafedd8
Tratcher added a commit that referenced this issue Feb 5, 2018
@Tratcher
#43 Add Microsoft.AspNetCore.Authentication.WsFederation, samples, an…
eab171d 
…d tests.

#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.
@Tratcher Tratcher mentioned this issue Feb 5, 2018
Merged
Tratcher added a commit that referenced this issue Feb 6, 2018
@Tratcher
#43 Add Microsoft.AspNetCore.Authentication.WsFederation, samples, an…
6413305 
…d tests.

#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.
Tratcher added a commit that referenced this issue Feb 12, 2018
@Tratcher
#43 Add Microsoft.AspNetCore.Authentication.WsFederation, samples, an…
eafc687 
…d tests.

#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.
Tratcher added a commit that referenced this issue Feb 26, 2018
@Tratcher
#43 Add Microsoft.AspNetCore.Authentication.WsFederation, samples, an…
d95109c 
…d tests.

#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tratcher Tratcher

Labels
3 - Done enhancement
Projects
None yet
Milestone
2.0.0-wsfed
Development

No branches or pull requests
4 participants
@Eilon @leastprivilege @Tratcher @KoalaBear84