Closed ladeak closed 2 years ago
Solution: scratch all above and in a custom Logout action
return SignOut(new AuthenticationProperties() { RedirectUri = "..." }, CookieAuthenticationDefaults.AuthenticationScheme, Saml2Defaults.Scheme);
where the order of schemes are important.
Please close this issue, if you find this as a viable solution, otherwise please suggest.
@ladeak I'm wondering if you could explain how that fix worked or share some example code? I'm seeing the same problem and couldn't figure out what you did. Thanks
In the sign out make sure to have the order of logout schemes in that order as above.
@ladeak Thanks! I've got it now.
I'm working in blazor and was missing some context. For anyone else here is what I got working. Added a controller:
[ApiController]
[Route("[controller]")]
public class HomeController : Controller
{
[HttpGet]
public IActionResult Index()
{
return SignOut(new AuthenticationProperties() { RedirectUri = "..." }, CookieAuthenticationDefaults.AuthenticationScheme, Saml2Defaults.Scheme);
}
}
Then I could navigate to that and it triggered the federated logout. There may be an option that skips having the controller, but everything I found either didn't take multiple authentication schemes OR gave me some other error.
navigationManager.NavigateTo("Home", true);
Hi,
I am using Sustainsys.Saml2.AspNetCore2 version 2.9.0.
I have CookieAuthenticationScheme as my DefaultScheme and Saml2 as my DefaultChallengeScheme.
As far as I see, when login happens I get an ASP.NET Core cookie, and my endpoints get the identity/claims from the Saml2 auth. That means SessionIndex and LogoutNameIdentifier claims are available.
However, when I call /Saml2/Logout endpoint I see that Federated logout not possible, redirecting to post-logout and after debugging it seem that the User has no claims hence it is not possible.
I also see an other issue for the same topic, and reading the sample again, I see there is a
class Saml2ClaimsFactory : IUserClaimsPrincipalFactory<ApplicationUser>
, which is used, however I am not sure if this is the best on a webapi.I am considering two approaches:
LogoutCommand
to generate SAML logout request.Would you have any other suggestions on what would be the best way to handle this?