search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
951 stars 601 forks source link

Federated Single Logout in ASP.NET Core WebApi #1356

Closed ladeak closed 2 years ago

ladeak commented 2 years ago

Hi,

I am using Sustainsys.Saml2.AspNetCore2 version 2.9.0.

I have CookieAuthenticationScheme as my DefaultScheme and Saml2 as my DefaultChallengeScheme.

services.AddAuthentication(options=>
{
  options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
  options.DefaultChallengeScheme = Saml2Defaults.Scheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddSaml(Saml2Defaults.Scheme, options =>
{ 
   //...
});

As far as I see, when login happens I get an ASP.NET Core cookie, and my endpoints get the identity/claims from the Saml2 auth. That means SessionIndex and LogoutNameIdentifier claims are available.

However, when I call /Saml2/Logout endpoint I see that Federated logout not possible, redirecting to post-logout and after debugging it seem that the User has no claims hence it is not possible.

I also see an other issue for the same topic, and reading the sample again, I see there is a class Saml2ClaimsFactory : IUserClaimsPrincipalFactory<ApplicationUser>, which is used, however I am not sure if this is the best on a webapi.

I am considering two approaches:

Would you have any other suggestions on what would be the best way to handle this?

ladeak commented 2 years ago

Solution: scratch all above and in a custom Logout action

return SignOut(new AuthenticationProperties() { RedirectUri = "..." }, CookieAuthenticationDefaults.AuthenticationScheme, Saml2Defaults.Scheme);

where the order of schemes are important.

Please close this issue, if you find this as a viable solution, otherwise please suggest.

Siphonophora commented 1 year ago

@ladeak I'm wondering if you could explain how that fix worked or share some example code? I'm seeing the same problem and couldn't figure out what you did. Thanks

ladeak commented 1 year ago

In the sign out make sure to have the order of logout schemes in that order as above.

Siphonophora commented 1 year ago

@ladeak Thanks! I've got it now.

I'm working in blazor and was missing some context. For anyone else here is what I got working. Added a controller:

[ApiController]
[Route("[controller]")]
public class HomeController : Controller
{
    [HttpGet]
    public IActionResult Index()
    {
        return SignOut(new AuthenticationProperties() { RedirectUri = "..." }, CookieAuthenticationDefaults.AuthenticationScheme, Saml2Defaults.Scheme);
    }
}

Then I could navigate to that and it triggered the federated logout. There may be an option that skips having the controller, but everything I found either didn't take multiple authentication schemes OR gave me some other error.

navigationManager.NavigateTo("Home", true);