leastprivilege
commented
11 years ago At sign in, IdSrv writes a cookie that keeps track of all sites you log in. Can you verify that this is written correctly - and has the correct content?
Closed andrasnemes closed 11 years ago
leastprivilege
commented
11 years ago At sign in, IdSrv writes a cookie that keeps track of all sites you log in. Can you verify that this is written correctly - and has the correct content?
andrasnemes
commented
11 years ago Do you mean the cookie called idsrvauth? The contents of that cookie are encrypted. How can I verify that the contents are correct?
leastprivilege
commented
11 years ago Wsfedsignout
Is the name.
andrasnemes
commented
11 years ago that is always set to the URL where i pressed the signout button. I'm trying to do the following:
What am I doing wrong?
andrasnemes
commented
11 years ago I pressed the close button by mistake...
leastprivilege
commented
11 years ago I have to repro that. This will take some days.
If you want to investigate yourself, put a breakpoint in the WSFederationController (in the protocols assembly).
andrasnemes
commented
11 years ago OK.
In the meantime I want to check something with you. At which step is the wsfedsignout cookie supposed to be set exactly? Fiddler is telling me the following:
Is the wsfedsignout cookie supposed to be set at sign in or sign out?
leastprivilege
commented
11 years ago OK - I did a repro. Works for me, thats all I can do right now. I documented the sequence for you, so you can debug yourself to find out whats wrong:
Fiddler trace: https://dl.dropboxusercontent.com/u/77464820/permanent/IdSrv%20signin%20and%20signout.saz
and the relevant steps:
1 Start (idsrvrp) 2 Try to access protected resource, redirect to wsfed endpoint 3 Not authenticated at sts, redirect to login page 5 Login successful, set login cookie (idsrvauth) 6 WS-Fed response, set signout cookie for idsrvrp (wsfedsignout) 7 Set fedauth cookie in idsrvrp 8 Access idsrvp protected resource
9 Start (idsrvrp2) 10 Try to access protected resource, redirect to wsfed endpoint 11 Access WS-Fed endpoint (already authenticated via idsrvauth cookie) WS-Fed response, add idsrvp2 to wsfedsignout cookie 12 Set fedauth cookie in idsrvrp2 13 Access idsrvrp2 protected resource
14 Sign-out in idsrvrp2 15 Hit STS signout endpoint Clear idsrvauth cookie Clear wsfedsignout cookie Render sign-out iframes 16 Signout cleanup idsrvrp (clear fedauth cookie) 17 Signout cleanup idsrvrp2 (clear fedauth cookie)
leastprivilege
commented
11 years ago Any comments?
andrasnemes
commented
11 years ago I'm currently working on installing Idsrv using the latest update of the Identity and Access Tool in Visual Studio. I'll close this thread and open a new one if necessary after redoing the whole setup chain.
Hello,
I have set up the Thinktecture server and have 2 web apps that use it for logging in, say WebA and WebB. Single SignOn works fine - I log in from WebA and I don't need to log in from WebB.
However, when I try to log out from WebA then the HTTP response from the identity server only includes the signout cleanup message from WebA, WebB is still logged on. The HTML on the Thinktecture signout page only includes the iframe with the signout cleanup message for the application where i pressed the logout button.
The same happens if I log out of WebB, WebA is not logged out. When I navigate to the site where i did not press the logout button I'm logged on automatically.
Any ideas why this happens? Something in web.config? something in the Thinktecture settings?
Thanks, Andras